Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp |
String found in binary or memory: https://onedrive.live.com/ |
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502105694.0000000000929000.00000004.00000020.sdmp |
String found in binary or memory: https://onedrive.live.com/b |
Source: SBG-1100319PurchaseOrder.exe, filename1.exe, 0000000D.00000002.341786606.0000000000560000.00000040.00000001.sdmp |
String found in binary or memory: https://onedrive.live.com/download?cid=1685231EC8E4EC43&resid=1685231EC8E4EC43%21505&authkey=ANKqoxx |
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000003.345228305.0000000000971000.00000004.00000001.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502175655.000000000094A000.00000004.00000020.sdmp |
String found in binary or memory: https://vug8la.am.files.1drv.com/ |
Source: SBG-1100319PurchaseOrder.exe, 00000002.00000002.502229070.0000000000971000.00000004.00000020.sdmp, SBG-1100319PurchaseOrder.exe, 00000002.00000002.502196213.000000000095A000.00000004.00000020.sdmp |
String found in binary or memory: https://vug8la.am.files.1drv.com/y4mT1QYIp_fyTE8Fy0lLLYF_0s99rPZfbzgWA1b5QlZt4eQwn4RVNktZv9qdlLB64Ai |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056616E NtSetInformationThread, |
2_2_0056616E |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00565D24 NtProtectVirtualMemory, |
2_2_00565D24 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056645C NtSetInformationThread, |
2_2_0056645C |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00566474 NtSetInformationThread, |
2_2_00566474 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056640C NtSetInformationThread, |
2_2_0056640C |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056642A NtSetInformationThread, |
2_2_0056642A |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005664D8 NtSetInformationThread, |
2_2_005664D8 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00565CCB NtProtectVirtualMemory, |
2_2_00565CCB |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005664FA NtSetInformationThread, |
2_2_005664FA |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00565CE1 NtProtectVirtualMemory, |
2_2_00565CE1 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056648A NtSetInformationThread, |
2_2_0056648A |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00566174 NtSetInformationThread, |
2_2_00566174 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005661CE NtSetInformationThread, |
2_2_005661CE |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005661FE NtSetInformationThread, |
2_2_005661FE |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005661E8 NtSetInformationThread, |
2_2_005661E8 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056618C NtSetInformationThread, |
2_2_0056618C |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005661B8 NtSetInformationThread, |
2_2_005661B8 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056624A NtSetInformationThread, |
2_2_0056624A |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00566264 NtSetInformationThread, |
2_2_00566264 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056621C NtSetInformationThread, |
2_2_0056621C |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005662CA NtSetInformationThread, |
2_2_005662CA |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005662F0 NtSetInformationThread, |
2_2_005662F0 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00566296 NtSetInformationThread, |
2_2_00566296 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00566280 NtSetInformationThread, |
2_2_00566280 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005662B4 NtSetInformationThread, |
2_2_005662B4 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056635A NtSetInformationThread, |
2_2_0056635A |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056636E NtSetInformationThread, |
2_2_0056636E |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00566306 NtSetInformationThread, |
2_2_00566306 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056633C NtSetInformationThread, |
2_2_0056633C |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00566324 NtSetInformationThread, |
2_2_00566324 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005663C8 NtSetInformationThread, |
2_2_005663C8 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005663E0 NtSetInformationThread, |
2_2_005663E0 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056638E NtSetInformationThread, |
2_2_0056638E |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005663AE NtSetInformationThread, |
2_2_005663AE |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056616E NtSetInformationThread, |
13_2_0056616E |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560500 EnumWindows,NtSetInformationThread, |
13_2_00560500 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00565D24 NtProtectVirtualMemory, |
13_2_00565D24 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560754 NtProtectVirtualMemory, |
13_2_00560754 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00565787 NtSetInformationThread, |
13_2_00565787 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056645C NtSetInformationThread, |
13_2_0056645C |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00566474 NtSetInformationThread, |
13_2_00566474 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056506E NtSetInformationThread, |
13_2_0056506E |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056640C NtSetInformationThread, |
13_2_0056640C |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056642A NtSetInformationThread, |
13_2_0056642A |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005664D8 NtSetInformationThread, |
13_2_005664D8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00565CCB NtProtectVirtualMemory, |
13_2_00565CCB |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005664FA NtSetInformationThread, |
13_2_005664FA |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00565CE1 NtProtectVirtualMemory, |
13_2_00565CE1 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056648A NtSetInformationThread, |
13_2_0056648A |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560D56 NtProtectVirtualMemory, |
13_2_00560D56 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00566174 NtSetInformationThread, |
13_2_00566174 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00566569 NtSetInformationThread, |
13_2_00566569 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560D13 NtProtectVirtualMemory, |
13_2_00560D13 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560D28 NtProtectVirtualMemory, |
13_2_00560D28 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005661CE NtSetInformationThread, |
13_2_005661CE |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005605CA NtSetInformationThread, |
13_2_005605CA |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005605F2 NtSetInformationThread, |
13_2_005605F2 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005661FE NtSetInformationThread, |
13_2_005661FE |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005661E8 NtSetInformationThread, |
13_2_005661E8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560586 NtSetInformationThread, |
13_2_00560586 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056618C NtSetInformationThread, |
13_2_0056618C |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005661B8 NtSetInformationThread, |
13_2_005661B8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560DA8 NtProtectVirtualMemory, |
13_2_00560DA8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056624A NtSetInformationThread, |
13_2_0056624A |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560664 NtSetInformationThread, |
13_2_00560664 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00566264 NtSetInformationThread, |
13_2_00566264 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056621C NtSetInformationThread, |
13_2_0056621C |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056062B NtSetInformationThread, |
13_2_0056062B |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005606D4 NtSetInformationThread, |
13_2_005606D4 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005662CA NtSetInformationThread, |
13_2_005662CA |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005662F0 NtSetInformationThread, |
13_2_005662F0 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00566296 NtSetInformationThread, |
13_2_00566296 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00560698 NtSetInformationThread, |
13_2_00560698 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00566280 NtSetInformationThread, |
13_2_00566280 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005662B4 NtSetInformationThread, |
13_2_005662B4 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056635A NtSetInformationThread, |
13_2_0056635A |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00564F76 NtSetInformationThread, |
13_2_00564F76 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056636E NtSetInformationThread, |
13_2_0056636E |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00566306 NtSetInformationThread, |
13_2_00566306 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056633C NtSetInformationThread, |
13_2_0056633C |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00566324 NtSetInformationThread, |
13_2_00566324 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005663C8 NtSetInformationThread, |
13_2_005663C8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005663E0 NtSetInformationThread, |
13_2_005663E0 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056638E NtSetInformationThread, |
13_2_0056638E |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005663AE NtSetInformationThread, |
13_2_005663AE |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
RDTSC instruction interceptor: First address: 000000000223033D second address: 00000000022346F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CC92A9h 0x00000010 jmp 00007F1880CC4246h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CC4246h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CC34DAh 0x00000032 jmp 00007F1880CC4242h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CC4242h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CC4242h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
RDTSC instruction interceptor: First address: 00000000022346F2 second address: 0000000002234756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
RDTSC instruction interceptor: First address: 00000000022348F1 second address: 0000000002234988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
RDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
RDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
RDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions: |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
RDTSC instruction interceptor: First address: 00000000021C033D second address: 00000000021C46F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F18804EC169h 0x00000010 jmp 00007F18804E7106h 0x00000012 test dh, bh 0x00000014 jmp 00007F18804E7106h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F18804E639Ah 0x00000032 jmp 00007F18804E7102h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F18804E7102h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F18804E7102h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
RDTSC instruction interceptor: First address: 00000000021C46F2 second address: 00000000021C4756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CB64F2h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CB65E9h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CB64F6h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
RDTSC instruction interceptor: First address: 00000000021C48F1 second address: 00000000021C4988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CC4242h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CC4242h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CC4242h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CC4246h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CC4246h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
RDTSC instruction interceptor: First address: 000000000056033D second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1880CBB559h 0x00000010 jmp 00007F1880CB64F6h 0x00000012 test dh, bh 0x00000014 jmp 00007F1880CB64F6h 0x00000016 cmp al, 27h 0x00000018 cmp ch, bh 0x0000001a test bh, dh 0x0000001c cmp cx, dx 0x0000001f nop 0x00000020 mov eax, 00000539h 0x00000025 mov ecx, dword ptr [ebp+1Ch] 0x00000028 mov edx, 8802EDACh 0x0000002d call 00007F1880CB578Ah 0x00000032 jmp 00007F1880CB64F2h 0x00000034 test cl, 00000039h 0x00000037 push esi 0x00000038 jmp 00007F1880CB64F2h 0x0000003a cmp dx, ax 0x0000003d push edx 0x0000003e jmp 00007F1880CB64F2h 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
RDTSC instruction interceptor: First address: 00000000005646F2 second address: 0000000000564756 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F1880CC4242h 0x0000000e test ch, bh 0x00000010 jmp 00007F1880CC4246h 0x00000012 test cl, bl 0x00000014 cmp eax, 00000539h 0x00000019 jne 00007F1880CC4339h 0x0000001f push 6DDB9555h 0x00000024 jmp 00007F1880CC4246h 0x00000026 pushad 0x00000027 mov edx, 00000015h 0x0000002c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
RDTSC instruction interceptor: First address: 00000000005648F1 second address: 0000000000564988 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ebx, dword ptr [eax+78h] 0x00000008 jmp 00007F1880CB64F2h 0x0000000a cmp eax, ebx 0x0000000c mov eax, dword ptr [ebp+04h] 0x0000000f add eax, ebx 0x00000011 mov ecx, dword ptr [eax+18h] 0x00000014 jmp 00007F1880CB64F2h 0x00000016 test ecx, edx 0x00000018 mov dword ptr [ebp+08h], ecx 0x0000001b jmp 00007F1880CB64F2h 0x0000001d test ch, bh 0x0000001f mov ecx, dword ptr [eax+1Ch] 0x00000022 mov dword ptr [ebp+14h], ecx 0x00000025 jmp 00007F1880CB64F6h 0x00000027 test cl, bl 0x00000029 mov ecx, dword ptr [eax+24h] 0x0000002c mov dword ptr [ebp+10h], ecx 0x0000002f mov esi, dword ptr [eax+20h] 0x00000032 add esi, dword ptr [ebp+04h] 0x00000035 xor ecx, ecx 0x00000037 jmp 00007F1880CB64F6h 0x00000039 pushad 0x0000003a mov edx, 0000002Eh 0x0000003f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
RDTSC instruction interceptor: First address: 0000000000563162 second address: 00000000005646F2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+000000A0h] 0x00000010 mov edx, AC928EF4h 0x00000015 call 00007F1880CC5769h 0x0000001a jmp 00007F1880CC4242h 0x0000001c test cl, 00000039h 0x0000001f push esi 0x00000020 jmp 00007F1880CC4242h 0x00000022 cmp dx, ax 0x00000025 push edx 0x00000026 jmp 00007F1880CC4242h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
RDTSC instruction interceptor: First address: 000000000056322C second address: 000000000056322C instructions: |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 0_2_0223465F mov eax, dword ptr fs:[00000030h] |
0_2_0223465F |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 0_2_02231EEC mov eax, dword ptr fs:[00000030h] |
0_2_02231EEC |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 0_2_02231ED8 mov eax, dword ptr fs:[00000030h] |
0_2_02231ED8 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 0_2_02232ADD mov eax, dword ptr fs:[00000030h] |
0_2_02232ADD |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 0_2_02231F14 mov eax, dword ptr fs:[00000030h] |
0_2_02231F14 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 0_2_02234FA8 mov eax, dword ptr fs:[00000030h] |
0_2_02234FA8 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 0_2_02231C8F mov eax, dword ptr fs:[00000030h] |
0_2_02231C8F |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00565810 mov eax, dword ptr fs:[00000030h] |
2_2_00565810 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056465F mov eax, dword ptr fs:[00000030h] |
2_2_0056465F |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00562AC6 mov eax, dword ptr fs:[00000030h] |
2_2_00562AC6 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005657DC mov eax, dword ptr fs:[00000030h] |
2_2_005657DC |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_005657C0 mov eax, dword ptr fs:[00000030h] |
2_2_005657C0 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00565787 mov eax, dword ptr fs:[00000030h] |
2_2_00565787 |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_0056578A mov eax, dword ptr fs:[00000030h] |
2_2_0056578A |
Source: C:\Users\user\Desktop\SBG-1100319PurchaseOrder.exe |
Code function: 2_2_00564FA8 mov eax, dword ptr fs:[00000030h] |
2_2_00564FA8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 12_2_021C465F mov eax, dword ptr fs:[00000030h] |
12_2_021C465F |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 12_2_021C2ADD mov eax, dword ptr fs:[00000030h] |
12_2_021C2ADD |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 12_2_021C1ED8 mov eax, dword ptr fs:[00000030h] |
12_2_021C1ED8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 12_2_021C1EEC mov eax, dword ptr fs:[00000030h] |
12_2_021C1EEC |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 12_2_021C1F14 mov eax, dword ptr fs:[00000030h] |
12_2_021C1F14 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 12_2_021C4FA8 mov eax, dword ptr fs:[00000030h] |
12_2_021C4FA8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 12_2_021C1C8F mov eax, dword ptr fs:[00000030h] |
12_2_021C1C8F |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00561ED8 mov eax, dword ptr fs:[00000030h] |
13_2_00561ED8 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00565787 mov eax, dword ptr fs:[00000030h] |
13_2_00565787 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00565810 mov eax, dword ptr fs:[00000030h] |
13_2_00565810 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00561C8F mov eax, dword ptr fs:[00000030h] |
13_2_00561C8F |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056465F mov eax, dword ptr fs:[00000030h] |
13_2_0056465F |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00562ADD mov eax, dword ptr fs:[00000030h] |
13_2_00562ADD |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00561EEC mov eax, dword ptr fs:[00000030h] |
13_2_00561EEC |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00561F14 mov eax, dword ptr fs:[00000030h] |
13_2_00561F14 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056171F mov eax, dword ptr fs:[00000030h] |
13_2_0056171F |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005657DC mov eax, dword ptr fs:[00000030h] |
13_2_005657DC |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_005657C0 mov eax, dword ptr fs:[00000030h] |
13_2_005657C0 |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_0056578A mov eax, dword ptr fs:[00000030h] |
13_2_0056578A |
Source: C:\Users\user\AppData\Local\Temp\subfolder1\filename1.exe |
Code function: 13_2_00564FA8 mov eax, dword ptr fs:[00000030h] |
13_2_00564FA8 |